Geek's Advice

Scammers infect WordPress sites to redirect victims

Tech support scammers strike again, and this time, they found a way to compromise legitimate WordPress websites. In September 2018, experts from Sucuri reported that hackers are inserting malicious codes into .js, .php files as well as in WP databases. The malicious code redirects site visitors to scam pages that display fraudulent pop-ups with scary messages. Usually, they state there is something wrong with victim’s computer.

Jérôme Segura, a well-known malware intelligence analyst, says that compromised websites contained an encoded piece of code, which typically was placed in the HTML header. Alternatively, the code would include a code that points to a Javascript code set externally.

In several scenarios, the script lies in the “wp_posts” table in the WP database. Interestingly, there is no code obfuscation. Representatives from Sucuri labs say that location of the malware varies, and that common versions of the virus are in .js files containing jquery in their names. Experts also add that scammers can compromise WordPress websites via outdated plugins, a common and probably the main security flaw in WP websites. Some of the targets they named were very old tagDiv themes (NewsMag, NewsPaper, others) and unpatched Smart Google Code Inserter plugin.

Fraudsters come up with new ideas since Google started banning fake tech support ads

The new attack wave rolled out soon after Google’s announcement to strictly restrict advertisements by third-party tech support providers. The tech giant took such measures to lower the number of fraudsters in the tech support market.

Therefore, tech support scammers now aim at legitimate websites and try to advertise by illegally injecting codes in reputable sites. They may also attempt to exploit legitimate advertising platforms to present themselves as trustworthy service providers.

The attackers promote traditional fake support pages urging the victim to call for support immediately. Usually, the deceptive pop-up includes such and similar lines:

Windows Warning Alert
Malicious Spyware/Riskware Detected
Error# 0x80072ee7

Please call us within the next 5 minutes…

Additionally, experts point out that scammers have fired shots not only at website users but also at advertisers. According to Jérôme Segura’s report to Bleeping Computer, scammers are “pushing ads for some geolocations as well as user agents.” He also notices malicious campaigns that reroute victims to sites injecting CoinHive JavaScript miner. These sites then use the victim’s computer’s resources to mine Monero cryptocurrency until the malicious page is closed.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.