Websites running WordPress hacked to display money-making ads for hackers

Graham Cluley
Graham Cluley
@[email protected]

WordpressAre you one of the millions of companies around the world running a WordPress-driven website?

Many of the most popular sites in the world rely upon the open-source software to serve up their pages of content and provide an easy-to-use CMS for staff.

I love WordPress, but I also know its dangers.

The truth is that security vulnerabilities in WordPress and its 40,000+ third-party plugins are commonly found and, because of the software’s popularity online, criminals are frequently hunting out security holes through which they might squeeze in and gain access.

Sign up to our free newsletter.
Security news, advice, and tips.

Because, if a malicious hacker manages to gain unauthorised access to your site, they may be able to inject malicious code into your webpages which could then infect your customers’ computers, intercept their passwords on login forms, or display revenue-generating ads.

In short – if you have a WordPress-driven website, you best have someone on hand who understands how to secure it and your servers properly from the multiple vulnerabilities, and keep systems properly updated.

This risk has been brought home again this week by security researchers at Sucuri who spotted a spike in the number of WordPress sites hit by a “massive” advertising scam this weekend.

Malicious code

As Sucuri explains, a snippet of highly obfuscated JavaScript code is injected into every section of JavaScript on the site, loading an iFrame which displays an advertisement when surfers visit the website. Each ad contains an affiliate link, helping the perpetrators to earn revenue.

This malware uploads multiple backdoors into various locations on the webserver and frequently updates the injected code. This is why many webmasters are experiencing constant reinfections post-cleanup of their .js files.

The malware tries to infect all accessible .js files. This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination. It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection. In other words, you either need to isolate every site or clean/update/protect all of them at the same time!

According to the firm, the problem is further compounded by system administrators cleaning up the infections by deleting the offending code from the server, but not fixing the underlying security problems which allowed the hackers to gain unauthorised access to the site in the first place. As a result, sites are infected over and over again.

Perhaps the only saving grace is that currently the attack appears to be more focused on earning revenue through advertising affiliate schemes than infecting the computers visiting hacked webpages. But the problem is still serious.

In short, there are a multitude of ways through which the hackers could have gained access to your website and planted their money-making ad code. Examples include, but are not limited to, poor password security, shared environments or a failure to keep WordPress and your plugins up-to-date.

If you can’t find the vulnerability that the attackers have exploited, and fix it, there is every chance that they will be back again – and that’s going to be bad news for your website visitors and your company’s image.

Oh, and by the way, yesterday a new version of the WordPress software was released (version 4.4.2) fixing a couple of security issues. There is no indication that the new version of WordPress will rebuff the current advertising attack, but it still makes sense to update your websites anyway.

Although you don’t need me to tell you to do that, do you? Because hopefully by now you’ve got someone who looks after your website security. Right?

This article originally appeared on the HEAT Security blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.