In December 2017, Sucuri analysts warned about a malicious campaign launched against poorly protected and long-standing WordPress sites. Let me remind you that at that time, experts discovered that attackers upload scripts to hacked sites that work like a keylogger and steal all the data that users enter into various forms. The scripts were also uploaded to the infected sites by the cryptocurrency miner Coinhive. The campaign was supposed to have been active since at least April 2017, and more than 5,500 sites were affected by cybercriminals. Now, Sucuri specialists have submitted
a new report, according to which the attackers are still not stopped their operation. Criminals still compromise websites through vulnerable themes or plugins, and also exploit bugs in older versions of WordPress, and then inject code into the admin area that loads a keylogger hosted on a third-party domain. On the front end, hackers place the Coinhive browser miner, which uses the computers of visitors to such sites to mine the Monero cryptocurrency.
If earlier criminals placed their malware on the cloudflare.solutions domain, now cdjs.online, cdns.ws and msdns.online have been added to the list of domains. According to PublicWWW, scripts from these domains are downloaded for more than 2000 sites (1, 2, 3). However, not all sites are indexed by PublicWWW, so the researchers believe that in fact the affected resources are much larger.