Resources infected in this way are then used to redirect users to fraudulent pages and various malicious sites. According to experts, a total of more than 6,600 sites have already been compromised.
Malicious code is injected into various files of compromised sites, databases, and core WordPress files, including ./wp-includes/js/jquery/jquery.min.js and ./wp-includes/js/jquery/jquery-mgrate.min.js. Essentially, the attackers are trying to put their own malicious code into any .js files with jQuery in the name. To avoid detection and hide their activity, hackers use CharCode.
Typically, these redirects lead to phishing pages, malware downloads, banner ads, or even more redirects. So, an injection on a hacked site creates a new script element with a legendtable domain.[.]com as the source. This domain refers to the second external domain – local[.]drakefollow[.]com – which refers to another, thereby creating a chain through which the visitor passes until he is redirected to some malicious resource.
Before reaching the final landing page, some visitors are taken to a fake CAPTCHA page that tries to trick them into signing up for push notifications from a malicious site.
“If a person clicks on a fake CAPTCHA, they will receive unwanted ads even if the site is not open, and ads will look like they are coming from the operating system and not from the browser,” experts say. “Also, these covert push notification maneuvers are linked to one of the most common “tech support” scams. When a user is informed that their computer is infected with a virus or is too slow, and in order to solve the problem, they should call the toll-free number [хакеров]”.
The researchers say that to initially compromise WordPress sites, attackers use numerous vulnerabilities in WordPress plugins and themes that are discovered regularly.