Global CyberSecurity

WordPress Popunder Malware Redirects to Scam Sites

0

Last Updated on 04/01/2022 by OTC

Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March of 2021.

The reported behaviour is always the same: After a few seconds of loading, the website will redirect to a dodgy scam site.

Checking the Payload

The malware is always injected into the active theme’s footer.php file, and contains obfuscated JavaScript after a long series of empty lines, no doubt trying to stay hidden:

Once we de-obfuscate this we see the following excerpt of the malicious code:

The attackers are frequently adjusting the injection ever so slightly, but we notice the same domains over and over again initiating the redirect:

amads[.]fun
techmarket[.]ink
uads[.]shop
5[.]188[.]62[.]157
uads[.]live
like-a-dating[.]top
techmarket[.]ink
Source of Infection?

Continue reading WordPress Popunder Malware Redirects to Scam Sites at Sucuri Blog.

DSA 2022 DAY 3 Defense Services Asia exhibition and conference Kuala Lumpur Malaysia

Previous article

Navantia delivers the 1st Avante 2200 corvette to Royal Saudi Navy

Next article

You may also like

Comments

Comments are closed.