The first injection redirected users to a spammy sports website, whereas the second one boosted the authority of a spammy casino website in search engines.
Cybersecurity researchers at Sucuri have shared their research on how WordPress vulnerabilities can jeopardize the system’s security and that usually already discovered flaws are used to compromise WordPress sites with multiple infections.
Researchers noted that outdated websites are highly likely to be exploited by multiple attackers, or the same hacker can target them using multiple channels. The latter scenario was recently identified by Sucuri’s researchers, who detected a database injection featuring two different malware embedded together to achieve two entirely different goals. Both the malware could be found scattered over a WordPress database.
The first injection redirected users to a spammy sports website, whereas the second one boosted the authority of a spammy casino website in search engines. As per Sucuri, nearly 270 websites were impacted by the first injection, and the second impacted 82 websites.
The first injection’s domain performs the redirecting process. The browser is instructed to wait for 60 seconds, after which a redirect is made to the domain “hxxp://redirect4xyz.” The user is redirected again, and they arrive on this spam domain: hxxp://pontiarmadacom when the first redirecting process is complete. This spammed site has iframes that disseminate malware to clueless users.
The second injection’s domain, “hxxp://nomortogelkuxyz,” is a gambling casino site that uses a common methodology to boost its authority in search engines. This attacker used a black hat SEO tactic and placed an invisible link throughout the compromised sites to improve its domain authority and appear genuine.
It is worth noting that, according to Sucuri’s blog post, both injections use the ‘.xyz’ domain extension, which attackers commonly use in such campaigns. These domains are available at cheaper rates for the first year, which explains why it is used extensively.
However, the presence of two different infections on the same website shows how attackers can disseminate various malware on the same site and how different bad actors can exploit a single flaw to infect the site.
Threat actors can easily monetize the same outdated sites with different malware to get full access. The problem lies in vulnerable WordPress plugins/themes, which allow multiple threat actors to exploit and distribute malware.
To mitigate the threat, keep your WordPress site plugin themes and software up-to-date by enabling auto-updates so that vulnerabilities are patched on time. Moreover, a web application firewall can block attacks caused due to vulnerabilities and add another layer of protection for a vulnerable site.
Additionally, the admin user count should be low, and securer passwords should be created for all accounts. Lastly, it is essential to enable two-factor authentication (2FA) to secure the WordPress admin accounts from unauthorized access.