Connect with us

Hi, what are you looking for?


Malware & Threats

39,000 Websites Infected in ‘Sign1’ Malware Campaign

Over 39,000 websites have been infected with the Sign1 malware that redirects visitors to scam domains.

More than 39,000 websites have been infected with a new malware family that redirects visitors to scam domains and displays unwanted ads, website security firm Sucuri warns.

Dubbed Sign1, the JavaScript malware was found inside WordPress custom HTML widgets or within the Simple Custom CSS and JS WordPress plugin that the attackers added to the compromised websites.

“Using this method, hackers infect websites without placing any malicious code into server files which allows the malware to stay unnoticed for a long time — as it’s much more common for security providers to scan website files for malware than to check in the database,” Sucuri says.

The injected code is responsible for changing every 10 minutes the URL to be executed in the victim’s browser, leading to unwanted redirects to VexTrio domains.

The malware, however, uses obfuscation to hide its presence and would only execute if the visitor comes from a major website, such as Facebook, Google, Instagram, or Yahoo.

“This is a common trait of malware as it tends to allow the infection to stay unnoticed for a longer time (normally a website owner will navigate to their website directly, rather than through a search engine),” Sucuri notes.

The security firm also discovered that the JavaScript code sets a specific cookie so that it would not detonate and display the unwanted pop-up multiple times for the same visitor.

Furthermore, the execution is conditioned by the existence of a hexadecimal-string JavaScript file that matches a specific 10-minute interval.

Advertisement. Scroll to continue reading.

“If these conditions are met, then the malware is injected and executes yet another script passing the URL of the current page, the referrer, and the browser language as a base64-encoded parameter. This script works as a TDS and redirects users further to malicious sites (usually the VexTrio scam sites),” Sucuri says.

Over the past six months, the security firm identified over 39,000 sites infected with different variants of the malware, with the most recent of them infecting more than 2,500 sites in the past two months.

Sucuri identified 15 domains used in this malicious campaign. Eight of them have been used in thousands of infections each.

Related: New Attack Shows Risks of Browsers Giving Websites Access to GPU

Related: Websites Hacked via Vulnerability in Bricks Builder WordPress Plugin

Related: Millions of User Records Stolen From 65 Websites via SQL Injection Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.