[edsanimate_start entry_animation_type= “” entry_delay= “” entry_duration= “” entry_timing= “” exit_animation_type= “fadeOut” exit_delay= “0.4” exit_duration= “0.6” exit_timing= “linear” animation_repeat= “infinite” keep= “yes” animate_on= “load” scroll_offset= “” custom_css_class= “”][edsanimate_end]
After that, the HTML header code would just go on and deobfuscate. The interest thing is that the malicious script was also a part of the Wp-Posts table in the WordPress database that actually stores pages, content and revisions as well as plugin content. A few website owners identified the fact that the table on their own, Sucuri did identify that and it was pretty obvious for people that messed around with their website code often.
It’s hard to figure out why this scam system appeared in the first place. Apparently it’s connected to the idea that Google wants to ban the tech support ads if they don’t come from verified operators. This was started at the very end of August. So it’s easy to see why these attacks started early September.
The thing to consider here is that all these crooks do is they try to mimic things that the legal businesses do as they try to scam people for money. The victim sees them as a professional company, even if that’s not really the case to begin with. recently, the attacks were focused on making people call for support and the page would redirect to an infected site that would steal data and other personal information. This type of scam has been around for a very long time, and it’s easy to see that there are plenty of challenges to take into consideration when it comes to stuff like this.
However, this is not the only type of scam that you can encounter in these attacks. They are also pushing some separate ads for things like user agents and geolocations. This is also quite popular when compared to other fraudulent activities. The idea here is that the advertiser is scammed, not the person that’s actively visiting and checking out the ads.
Of course, there are also some campaigns that redirect people to a site with Coinhive injected in it so they can generate cryptocurrency from the website visitors. What website owners can do right now is to clean up everything, check the databases and pages to see if they have any malicious code that they don’t really know about.
Identifying what led to this compromise in the first place is also very important, as it will bring in front the notions and ideas that you have to take into consideration. The number of infected WordPress websites raised rapidly in the past few days, and we are bound to see more infections. But with the right protection and focus, website owners will be able to eliminate this!