A URL shortener, a fake plug-in and a malicious popuplink.js file are the three key ingredients found in a WordPress website infection campaign that since July has been redirecting victimised site visitors to various scam and ad sites.
Sucuri, whose research team observed the scam, reveals in an 17 August blog post that up to 3,000 sites contained the popuplink.js malware at one point – a number based on findings gleaned from the digital marketing and affiliate marketing research tool PublicWWW.
The popuplink.js code itself is designed to hook the "onclick" event whenever a new visitor clicks on any link element on an infected web page, according to senior malware researcher Denis Sinegubko, who penned the post. When this occurs, either a new tab is opened with the actual link that was clicked, or the original tab obeys the malicious script's command and loads a URL contained within its code.
This commences a chain of redirects that involve three shortened links created by the tiny.cc URL shortener. Ultimately, the website visitor winds up viewing a sketchy page containing ads or a flat-out scam such as a fake tech support service.
Sucuri says that the attack is a variation of an infection technique its researchers discovered last February, which involved the malicious plug-ins "injectbody" and "injectscr" and resulted in the creation of annoying pop-ups and pop-under ads. The idea, explains Sinegubko, is to "inject the malicious code and make the plug-in invisible in the WordPress admin interface."
In this more recent campaign, certain website infections have used a plug-in called "index" with a corresponding variable named "wp_cfg_index" while others have employed a plug-in named "wp_update" with a variable called "wp_cfg_wp_update". The blog post further notes that infected pages typically contain two scripts within the <head> portion of their pages, one of which contains the name of the fake plug-in, and another that includes the name of the variable.
The malicious plug-ins are especially devilish in that their code comments are designed to look legitimate, and they also peek at their own user configuration settings to determine if the current visitor is a site admin – in which case, they will hide their activity.
To combat the threat, Sucuri recommended that site admins remove fake plug-ins directly from the disk, delete unknown users with admin privileges, and change their passwords.