Categories
Security

Javascript Injection Creates Rogue WordPress Admin User

Javascript Injection Creates Rogue WordPress Admin User

Earlier this year, we faced a growing volume of infections related to a vulnerability in outdated versions of the Newspaper and Newsmag themes. The infection type was always the same: malicious JavaScript designed to display unauthorized pop-ups or completely redirect visitors to spammy websites, which the hackers then monetized through advertisement views.

This month we noticed a very interesting variant of this infection. While still related to the same vulnerability on the same outdated versions of Newspaper and Newsmag themes, the malware has been designed to both inject malvertising and take over a WordPress website completely.

Continue reading Javascript Injection Creates Rogue WordPress Admin User at Sucuri Blog.

Categories
Security

Unwanted “Shorte St” Ads in Unpatched Newspaper Theme

Unwanted “Shorte St” Ads in Unpatched Newspaper Theme

Unwanted ads are one of the most common problems that site owners ask us to solve. Recently, we’ve noticed quite a few requests to remove intrusive “shorte st” ads that they never installed on their sites themselves. My colleague Denis Sinegubko of UnmaskParasites helped to investigate this case.

Shorte[.]st is a service that hijacks links, forcing visitors to view a page containing ads before they can visit the link they clicked on.

Continue reading Unwanted “Shorte St” Ads in Unpatched Newspaper Theme at Sucuri Blog.

Categories
Security

WordPress Security – Fake TrafficAnalytics Website Infection

WordPress Security – Fake TrafficAnalytics Website Infection

Several months ago, our research team identified a fake analytics infection, known as RealStatistics. The malicious Javascript injection looks a lot like tracking code for a legitimate analytics service. RealStatistics even set up fake analytics websites designed to trick webmasters who took a few steps to investigate the unfamiliar script.

Recently, a new variation of this type of infection has emerged. The new campaign uses trafficanalytics[.]online as the source for the injected script.

Continue reading WordPress Security – Fake TrafficAnalytics Website Infection at Sucuri Blog.

Categories
Security

Cloned Spam Sites in Subdirectories

Cloned Spam Sites in Subdirectories

In a recent post, we covered how attackers were abusing server resources to create WordPress sites in subdirectories and distribute spam. By adding a complete WordPress CMS installation into a directory and using the victim’s database structure, attackers were able to inject ads and promote their products – a very bold move.

This time around, attackers used a different technique and structure to accomplish the same task.

Infection Patterns

Instead of adding WordPress subsites and using the local database, they decided to fetch all of the information from external sources under their control.

Continue reading Cloned Spam Sites in Subdirectories at Sucuri Blog.