An injection attack inserted code into 2,000 WordPress web pages, according to a post on ZScaler's ThreatLab blog.
The campaign lets attackers inject malvertising and spyware applications into the .js files of the widely used content management system and blogging platform after a user clicks on a prompt that downloads a phony Adobe Flash Player application.
The campaign began the first week of August and has been "fairly active since," leading to more than 20,000 security events with 2,000 web pages affected. Even sites running the latest version of WordPress (4.3.1) have been compromised, but Zscaler said attacks could have occurred on earlier generations.
The campaign is unique in that the end payload contains spyware and potentially unwanted applications, which could allow malvertising-based assaults via unsolicited advertisements.According to Dynamoo's Blog, the payload site in the file changes about every half hour.