Alert: Over 39,000 WordPress Sites Compromised in Massive Sign1 Campaign with Scam Redirects.

Alert: Over 39,000 WordPress Sites Compromised in Massive Sign1 Campaign with Scam Redirects -->

• A significant malware campaign known as Sign1 has targeted more than 39,000 WordPress websites in the last half-year. The attackers utilize malicious JavaScript injections to redirect visitors to fraudulent sites.

• Sucuri, in a recent report, revealed that the latest version of the malware has infected at least 2,500 websites in the past two months. These attacks involve injecting unauthorized JavaScript into legitimate HTML widgets and plugins that support the insertion of various code types. This exploit enables the attackers to incorporate their malicious code.

• The XOR-encoded JavaScript is decoded and used to run a JavaScript file from a remote server. This file then redirects users to a traffic distribution system (TDS) operated by VexTrio, but only if specific conditions are met.

• Additionally, the malware employs time-based randomization to fetch dynamic URLs that change every 10 minutes, which helps evade blocklists. These domains are registered a few days before being used in attacks.

• Security researcher Ben Martin highlighted that the malware specifically checks if the visitor came from major websites like Google, Facebook, Yahoo, or Instagram. If the referrer does not match these sites, the malware does not execute. Instead, visitors are redirected to other scam sites using another JavaScript from the same server.

• The Sign1 campaign, first identified in the latter part of 2023, has seen multiple iterations. Attackers have utilized up to 15 different domains since July 31, 2023.

• The method of compromise for WordPress sites is suspected to be brute-force attacks, although attackers could also exploit security vulnerabilities in plugins and themes to gain access.

Vivo v30 pro review

• "Numerous injections are located within WordPress custom HTML widgets added by the attackers to compromised websites," noted Martin. "In many cases, the attackers install a legitimate Simple Custom CSS and JS plugin to inject the malicious code."

• This tactic, which avoids placing any malicious code into server files, enables the malware to evade detection for prolonged periods, according to Sucuri.