Thousands of WordPress sites hacked, redirected to tech support scams Watch Now

Thousands of WordPress sites have been hacked and compromised with malicious code this month, according to security researchers at Sucuri and Malwarebytes.

All compromises seem to follow a similar pattern --to load malicious code from a known threat actor-- although the entry vector for all these incidents appears to be different.

Researchers believe intruders are gaining access to these sites not by exploiting flaws in the WordPress CMS itself, but vulnerabilities in outdated themes and plugins.

Also: Access to over 3,000 backdoored sites sold on Russian hacking forum

When they gain access to a site, they plant a backdoor for future access and make modifications to the site's code.

In most cases, they modify PHP or JavaScript files to load malicious code, although some users have reported seeing modifications made to database tables as well.

Malwarebytes security researcher Jérôme Segura said this malicious code filters users visiting the compromised sites and redirects some to tech support scams.

CNET: How to avoid tech support scams

He says some of the traffic patterns seen during the redirection process match the patterns of a well-known traffic distribution system used by several malware distribution campaigns.

Segura also said that some of tech support scams that users are landing on are using the "evil cursor" Chrome bug to prevent users from closing the malicious site's tab, a trick that the researcher first spotted last week.

TechRepublic: Why that email from your boss could be a scam waiting to happen

This WordPress site hijacking campaign appears to have started this month, according to Sucuri, and has intensified in recent days, according to Segura.

Googling just one of the pieces of the malicious JavaScript code added to the hacked WordPress sites reveals just a small portion of the total number of hacked sites. In this case, this string search yielded over 2,500 results, including a corporate site belonging to Expedia Group, the parent company behind the Expedia portal.

Last week, ZDNet revealed that attackers had been scanning the Internet in an attempt to exploit a recent vulnerability in a popular WordPress plugin.

While Sucuri did not find confirm that this vulnerability was now being used in this recent wave of site hacks, the company did confirm our initial report, based on WordFence's telemetry.

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Five computer security questions you must be able to answer right now

If you can't answer these basic questions, your security could be at risk.

Critical infrastructure will have to operate if there's malware on it or not

Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.

Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons

Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.

Related stories: