Fri. Jun 5th, 2020

Malicious WordPress Campaign Rerouting Traffic to Criminal Websites

Numerous WordPress plugins have been found to maliciously reroute traffic to criminal websites, researchers find.

 

In a blog post, the Threat Intelligence team at Wordfence share details about a redirect campaign that is actively “targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations.”

 

Researchers found that the malicious campaign specifically targeted plugins developed by NicDark, such as Simple 301 Redirects – Addon – Bulk Uploader.

 

“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests.” reads the post. “In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.”

 

Even more, the vulnerabilities could allow hackers to “modify arbitrary WordPress options,” for example, to enable registration as an Administrator user.

 

The campaign began on July 31. Other attacks targeted the following WordPress plugins:

 

Other indicators of compromise include:

IP Addresses

Below, is the top 20 IP addresses associated with the campaign — “addresses listed in bold text appear in the list of IPs Attacking Most Sites.”

  1. 192.99.38.186
  2. 51.38.69.87
  3. 62.210.252.196
  4. 164.132.44.97
  5. 159.203.81.46
  6. 217.182.95.250
  7. 51.255.43.81
  8. 37.187.198.246
  9. 54.36.246.232
  10. 45.55.152.56
  11. 198.199.100.240
  12. 162.241.175.243
  13. 188.213.175.168
  14. 45.40.143.13
  15. 188.213.166.219
  16. 192.169.227.95
  17. 193.70.2.138
  18. 149.202.75.164
  19. 192.169.157.142
  20. 104.238.97.201

 

Domain Names

  • greatinstagrampage.com
  • gabriellalovecats.com
  • jackielovedogs.com
  • tomorrowwillbehotmaybe.com
  • go.activeandbanflip.com
  • wiilberedmodels.com
  • developsincelock.com

 

WordPress has since removed other plugins developed by NicDark.