Researchers found where the attacks came from, identifying various IP addresses linked to web hosting providers; once the issue had been highlighted, most of the IPs involved ceased activity, leaving just one to continue.
"The IP address in question is 220.127.116.11, a Rackspace server currently hosting some presumably compromised websites. We have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. We have not yet heard back," said researchers.
The attacks have been targeting several known vulnerabilities in the following plugins:
Bold Page Builder
Live Chat with Facebook Messenger
Yuzo Related Posts
Visual CSS Style Editor
WP Live Chat Support
All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)
The initial research into this campaign identified the injection of scripts which triggered malicious redirects or unwanted popups in the browsers of a victim site’s visitors.
"Since that time, the campaign has added an additional script which attempts to install a backdoor into the target site by exploiting an administrator’s session," said researchers.
Researchers said that attacks are still ongoing.
"As always, updating the plugins and themes on your WordPress site is an excellent layer of defense against campaigns like these. Check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released," said researchers.
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that attacks are moving from the server to client-side, in this case attempting to hijack the context of a privileged user.
"Magecart uses similar tactics to virtually skim credit card data, although not through WordPress plugins but through infection of third party libraries. The primary objective in this case seems to be compromising the WordPress websites for further abuse, in the case of Magecart it is clearly credit-card information they are after, but one cannot exclude the use of similar tactics to extract information from websites; such attacks are insidious and hard to detect," he said.
Fabian Libeau, VP EMEA at RiskIQ, told SC Media UK that to stop malvertising from targeting individuals, everyone involved in the ad delivery chain must take a ‘one for all’ approach and unite to prevent its spread.
"Publishers, demand-side platforms and brands should all consider what they are doing to prevent malicious digital ads? If the answer is not a lot, then they should look to incorporate advertising and ad technology into their cyber-security programme. This will identify and remove malicious malvertisements hosts and advertisers from a network or publisher website, while minimising the threat to end-users," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout