The data from urlscan.io reveals that the most recent operation is claimed to have been running since December 26, 2022. More than 3,600 sites were affected by an earlier wave observed in early December 2022, while more than 7,000 sites were affected by an attack wave observed in September 2022. The malicious code was added to the WordPress index.php file, and Sucuri disclosed that it had been deleted from more than 33,000 other files on the hijacked sites for the last 60 days.
“In recent months, this malware campaign has gradually switched from the notorious fake CAPTCHA push notification scam pages to black hat ‘ad networks’ that alternate between redirects to legitimate, sketchy, and purely malicious websites,” said Sucuri researcher Denis Sinegubko.
Therefore, a traffic direction system is used to start a redirect chain when unwary people visit one of the compromised WordPress sites, leading the victims to websites presenting dubious adverts for goods that ironically combat intrusive ads. Even more concerning, depending on the web browser being used, the website for one such ad blocker called Crystal Blocker is designed to display deceptive browser update alerts to deceive users into installing its extension.
Nearly 110,000 people use the browser extension across Google Chrome (60,000+), Microsoft Edge (40,000+), and Mozilla Firefox (8,635). While the extensions do offer ad-blocking capability, Sinegubko noted that there is no assurance that using them would be secure since they might have hidden features in either the current version or any upgrades that may come in the future.
Some of the redirections are even downright malicious, using the compromised websites as a conduit to start drive-by downloads. This also entails downloading Raccoon Stealer, a malware program that may steal private information, including passwords, cookies, autofill information from browsers, and cryptocurrency wallets, through the Discord CDN. The discoveries come at a time when threat actors create websites that mimic a range of genuine products to disseminate trojans and stealth programs through malicious advertisements in Google search results.
Since then, Google has acted to block one of the malicious sites employed in the redirect scheme, designating it as a dangerous website that places “unwanted or malicious software on visitors’ computers.” WordPress site owners are encouraged to update installed themes and plugins, delete those that are underused or abandoned by their authors, and change passwords to reduce the risk of such cyberattacks.