Specialists of companies Sucuri and Malwarebytes have detected a massive compromise of sites running WordPress. Thousands of hacked resources are redirecting users to fake tech support sites, some of which use the recently discovered “evil cursor” technique. According to researchers, the malicious campaign has been active since the beginning of September 2018.
Experts write that the purpose of the compromise was the same in all cases – to redirect the user to a malicious site, but the attackers used a different approach to hacking different sites. Apparently, the criminals exploited not vulnerabilities in the CMS itself, but bugs in various WordPress plugins and themes.
Malwarebytes specialist Jérôme Segura writes that the patterns of this system look very similar to the well-known of a traffic distribution system, which has already been repeatedly seen in various malicious campaigns. Moreover, some users are also shown ads (depending on their location and user agent data) or redirected to pages with a built-in “browser” CoinHive miner. Fake support site In addition, the researchers note that some of the scam sites involved in this campaign use the recently discovered technique evil cursor ”, which relies on a bug in the Chromium code and blocks users on a malicious page, literally preventing them from closing the problematic tab.