Security Experts:

Thousands of Hijacked WordPress Sites Redirect Users to Exploit Kits

Cybercriminals have been leveraging a vulnerability in a popular WordPress plugin to redirect the visitors of thousands of websites to exploit kits, a researcher has warned.

Data gathered by security researcher Yonathan Klijnsma and Germany’s Computer Emergency Response Team (CERT-Bund) shows that roughly 3,000 websites have been compromised. However, Klijnsma believes the actual number of affected WordPress sites is much higher.

The attackers are exploiting a known vulnerability in Slider Revolution (RevSlider), a popular premium WordPress plugin. The flaw was fixed silently by the developer back in February 2014 and its existence came to light in September 2014, after cybercriminals started exploiting it to hijack thousands of websites running the vulnerable version.

In December, Sucuri reported seeing a campaign in which more than 100,000 WordPress websites had been compromised and set up to serve malware.

Now, according to Klijnsma, the RevSlider vulnerability is being exploited in a different campaign. The attackers have been planting iframes on vulnerable websites in an effort to redirect their visitors to exploit kits.

Cybercriminals take control of the websites by exploiting a local file inclusion (LFI) vulnerability, which allows them to access and download files from the affected server. The attackers create a new administrator account, upload a script to affected websites, and add backdoors to files associated with other WordPress plugins, the researcher said in a blog post.

In most cases, victims are directed to a Fiesta exploit kit landing page, but the researcher says the Angler exploit kit has also been used in the attack. In the case of Fiesta, vulnerabilities in Adobe Flash, Adobe Reader, Java, Microsoft Silverlight, and Internet Explorer are leveraged to push malware onto users’ computers, Klijnsma told SecurityWeek.

The domains used to host the exploit kits are registered at dynamic DNS providers and they are changed often.

The expert says the exploit kits are set up to serve various pieces of malware, including Cryptowall 3.0 ransomware, ad fraud malware, and banking Trojans. “It just depends who rents ‘loads' on these instances,” Klijnsma noted.

Over half of the compromised websites observed by the researcher and CERT-Bund are on the .com TLD, and based on their IP addresses, most of them are hosted in the United States. Other impacted websites are located in the Netherlands, Germany, France, Spain, the United Kingdom, Italy, Poland, Canada and Singapore.

Klijnsma advises administrators whose websites have been compromised to remove all accounts and create new ones with new passwords. This step is required because all accounts are likely compromised considering that the attackers have gained administrative access to the site’s backend.

“Check all PHP files for modifications by comparing them to files from the official WordPress website (or own local copies if you are 100% sure they are unaffected). Any modified files should be replaced with the normal ones,” the researcher said.

Finally, the RevSlider plugin should be updated to the latest version. It’s worth noting that the vulnerable plugin is bundled with several themes, so it might be present on a website even if the owner hasn’t knowingly installed it. The RevSlider bug can be addressed in themes by using a special patch available on the official WordPress website.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.