Tech Support Scam Affects Thousands of Compromised WordPress Websites

Thousands of WordPress websites have been compromised and injected with JavaScript code that redirects users to tech-support scam pages.

Security researchers discovered that the attacks began in early September and exploited vulnerabilities in outdated plugins.

Jérôme Segura of Malwarebytes says that on the client side he observed a large encoded blurb, typically in the HTML header, or one line of code pointing to external JavaScript code.


The code in the HTML header would deobfuscate to something like this:

Some website owners also spotted the compromised ‘wp_posts’ table as did Sucuri in their analysis after noticing an infection surge; they say that sometimes the threat actor does not bother to hide the link to the malicious JavaScript.

Crims are scrambling to get back their tech-support biz

This activity may be the result of the recent decision from Google to ban tech-support ads from unverified operators. The new policy will roll out over the course of a few months, and it was announced on Friday, August 31, awfully close to the “early September” period when Malwarebytes pinned the beginning of the attacks.

Crooks would mimic the practices of legal businesses and use a legitimate advertisement platform to promote their tech-support services. This would paint them as trustworthy in the eyes of the potential victim.

The recently observed attacks follow the classic recipe to convince users to call for tech support: a redirect to a page showing a warning about viruses running rampant on the computer, and a convenient toll-free support phone number.

Tech-support scams are not the only game

Segura said that redirects to tech-support are not the only activity he’s seen in these attacks.

He told that “they are also pushing ads for some geolocations and user agents,” a fraudulent activity that scams the advertiser, not the user visiting the ads, who is left with the annoyance of being diverted from content they want to see.

Segura also says that he’s also seen campaigns designed to redirect to websites that inject the CoinHive JavaScript miner, allowing the attacker to spend the resources of users’ computers to mint Monero cryptocurrency for as long as the compromised page is opened.

The security researcher recommends a website owner affected by these attacks to be thorough in cleaning up, and check the pages as well as databases. They should also identify the vector of the compromise, “which often times is an outdated WordPress installation or plugin.”

He added that the number of compromised WordPress websites increased in the last few days.

Credit: BleepingComputer

CEH Course In pune | Slink

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *