This campaign takes advantage of known vulnerabilities in WordPress themes and plugins.
and has affected a vast number of websites throughout the year.
The standard procedure is to contaminate files like jquery.min.
allowing the attacker to redirect website visitors to a destination of their choosing.
The website security company said domains at the end of the redirect chain could be used to load ads, phishing pages, malware, or even trigger another set of redirects.
In some cases, unsuspecting users are taken to a fake redirect landing page that contains a fake CAPTCHA check.
and clicking it displays unwanted advertisements that are disguised to seem to come from the operating system and not from a browser.
The campaign, a follow-up to another wave detected final month, is believed to have affected 322 websites so far, since May 9.
The set of April attacks, in the meantime, has compromised more than 6,500 websites.
and database files, including lega WordPress core files, such as:
Once the website was compromised, the attackers attempted to automatically infect any .
.js files with jQuery in the names.
They injected code that starts with “/* trackmyposs*/eval(String.fromCharCode…”
However, it was clear that the attackers had taken some steps to evade detection .
From the perspective of a site visitor, they will simply see the next page of malware before reaching the last destination.
This page tricks unsuspecting users into subscribing to push notifications from the malicious site.
Whether they click on the fake CAPTCHA.
they will be signed up to get unwanted ads even when the site is not open.
and the ads will appear to come from the operating system, not a browser.