Threat Management, Malware, Network Security

WordPress redirection campaign uses .js file, fake plug-ins to send victims to scam sites

A URL shortener, a fake plug-in and a malicious popuplink.js file are the three key ingredients found in a WordPress website infection campaign that since July has been redirecting victimized site visitors to various scam and ad sites.

Sucuri, whose research team observed the scam, reveals in an Aug. 17 blog post that up to 3,000 sites contained the popuplink.js malware at one point – a number based on findings gleaned from the digital marketing and affiliate marketing research tool PublicWWW.

The popuplink.js code itself is designed to hook the “onclick” event whenever a new visitor clicks on any link element on an infected web page, according to senior malware researcher Denis Sinegubko, who penned the post. When this occurs, either a new tab is opened with the actual link that was clicked, or the original tab obeys the malicious script's command and loads a URL contained within its code.

This commences a chain of redirects that involve three shortened links created by the tiny.cc URL shortener. Ultimately, the website visitor winds up viewing a sketchy page containing ads or a flat-out scam such as a fake tech support service.

Sucuri says that the attack is a variation of an infection technique its researchers discovered last February, which involved the malicious plug-ins "injectbody" and "injectscr" and resulted in the creation of annoying pop-ups and pop-under ads. The idea, explains Sinegubko, is to “inject the malicious code and make the plug-in invisible in the WordPress admin interface.”

In this more recent campaign, certain website infections have used a plug-in called “index” with a corresponding variable named “wp_cfg_index” while others have employed a plug-in named “wp_update” with a variable called “wp_cfg_wp_update”. The blog post further notes that infected pages typically contain two scripts within the <head> portion of their pages, one of which contains the name of the fake plug-in, and another that includes the name of the variable.

The malicious plug-ins are especially devilish in that their code comments are designed to look legitimate, and they also peek at their own user configuration settings to determine if the current visitor is a site admin – in which case, they will hide their activity.

The plug-ins also use cookies to prevent an injection or redirect for the same visitor within a 100-minute time span. Moreover, "if the visitor is the site administrator the malware will not be injected, and the cookie will be set for 100 years," added Sinegubko. "A cookie with such a long duration prevents site admins from finding the malware even if they log out from the site. Of course, this only works as long as they use the same browser and don't clean cookies or use incognito sessions."

To combat the threat, Sucuri recommended that site admins remove fake plug-ins directly from the disk, delete unknown users with admin privileges, and change their passwords.


Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.