Database Malware Strikes Hundreds of Vulnerable WordPress Sites

Database Malware Strikes Hundreds of Vulnerable WordPress Sites

The database injection against WordPress websites features two different malware embedded together to achieve two entirely different goals.

The first injection redirected users to a spammy sports website, whereas the second one boosted the authority of a spammy casino website in search engines.

Cybersecurity researchers at Sucuri have shared their research on how WordPress vulnerabilities can jeopardize the system’s security and that usually already discovered flaws are used to compromise WordPress sites with multiple infections.

Researchers noted that outdated websites are highly likely to be exploited by multiple attackers, or the same hacker can target them using multiple channels. The latter scenario was recently identified by Sucuri’s researchers, who detected a database injection featuring two different malware embedded together to achieve two entirely different goals. Both the malware could be found scattered over a WordPress database.

The first injection redirected users to a spammy sports website, whereas the second one boosted the authority of a spammy casino website in search engines. As per Sucuri, nearly 270 websites were impacted by the first injection, and the second impacted 82 websites.

Database Malware Strikes Hundreds of Vulnerable WordPress Sites
One of the compromised WordPress websites (Image credit: Sucuri)

The first injection’s domain performs the redirecting process. The browser is instructed to wait for 60 seconds, after which a redirect is made to the domain “hxxp://redirect4xyz.” The user is redirected again, and they arrive on this spam domain: hxxp://pontiarmadacom when the first redirecting process is complete. This spammed site has iframes that disseminate malware to clueless users.

The second injection’s domain, “hxxp://nomortogelkuxyz,” is a gambling casino site that uses a common methodology to boost its authority in search engines. This attacker used a black hat SEO tactic and placed an invisible link throughout the compromised sites to improve its domain authority and appear genuine.

It is worth noting that, according to Sucuri’s blog post, both injections use the ‘.xyz’ domain extension, which attackers commonly use in such campaigns. These domains are available at cheaper rates for the first year, which explains why it is used extensively.

However, the presence of two different infections on the same website shows how attackers can disseminate various malware on the same site and how different bad actors can exploit a single flaw to infect the site.

Threat actors can easily monetize the same outdated sites with different malware to get full access. The problem lies in vulnerable WordPress plugins/themes, which allow multiple threat actors to exploit and distribute malware.

To mitigate the threat, keep your WordPress site plugin themes and software up-to-date by enabling auto-updates so that vulnerabilities are patched on time. Moreover, a web application firewall can block attacks caused due to vulnerabilities and add another layer of protection for a vulnerable site.

Additionally, the admin user count should be low, and securer passwords should be created for all accounts. Lastly, it is essential to enable two-factor authentication (2FA) to secure the WordPress admin accounts from unauthorized access.

  1. Step-by-Step Security Guide for WordPress
  2. WordPress Plugin NextGEN Gallery Vulnerable
  3. Hackers deface thousands of WordPress websites
  4. Hacked WordPress & Joomla sites dropping malware
  5. 5 WordPress Security Solutions with Free SSL Certificates
  6. 3 vulnerable WordPress plugins affecting 21,000 websites
Related Posts