A massive campaign has infected more than 4,500 WordPress websites as part of a running operation that has been believed to be active since 2017.
The latest operation is on way since December 26, 2022.According to data ,A wave have been seen in early December 2022 which has impacted over 3,600 sites, while another set of attacks were recorded in September 2022 that ensnared more than 7,000 sites.
The rogue code is inserted in WordPress index.php file and with Sucuri noting that it has been removed such changes from more than 33,000 files on compromised sites in the past 60 days.
In recent months, this malware campaign has gradually also switched from notorious fake CAPTCHA push notification scam pages to black ‘ad networks’ that alternate between redirects to legitimate, sketchy, and purely malicious websites.
Thus when unsuspecting users landed on one of the hacked WordPress sites which a redirect chain is triggered by means of a traffic direction system .
Even troublingly, website for such ad blocker named Crystal Blocker is engineered to display some misleading browser update alerts to trick the users into installing their extension depending on the web browser used.
The browser extension is used by lakh of users spanning Google Chrome , Microsoft Edge and Mozilla Firefox .
And the extensions have ad blocking functionality and there is no guarantee that they are safe to use and contain undisclosed functions in current version or in future updates.
Some of the redirects also fall into the outright nefarious category which wherein the infected websites that act as a conduit for initiating drive-by downloads.
This also includes retrieving from Discord CDN as an information-stealing malware known as Raccoon Stealer which is also capable of many plundering sensitive data such as passwords, cookies, autofill data from browsers, and even crypto wallets.
The findings come as threats that are setting up lookalike websites for a variety of legitimate software which distribute stealers and trojans through malicious ads in Google search results.
Google has since stepped in to block one of the rogue domains that involved in the redirect scheme and also classifying it as an unsafe site that installs unwanted or malicious software on computers.
To reduce such threats, WordPress site owners are usually advised to change passwords and update installed themes and plugins and also remove those that are unused or abandoned by their developers.