Connect with us

Hi, what are you looking for?



Thousands of WordPress Sites Hacked To Push Work From Home Scam

Thousands of WordPress websites have been hijacked recently to redirect to a “work at home” scam, according to researchers at Zscaler ThreatLabz.

Thousands of WordPress websites have been hijacked recently to redirect to a “work at home” scam, according to researchers at Zscaler ThreatLabz.

The WordPress sites were hijacked to redirect visitors to the sites to two scam URLs, Julian Sobrier, a senior security researcher at Zscaler, wrote on the ThreatLabz blog. It appears that the scammers had added new pages with randomly-generated filenames inside the /wp-includes/ directory on the sites.

Attackers like to put malicious pages inside standard directories such as /wp-includes/ because many users generally don’t know which files belong there and which do not, Sobrier told SecurityWeek. The /wp-includes/ directory is a part of every WordPress installation and contains much of the core code. Webmasters recommended not adding, removing, or modifying files in this directory as it may cause the WordPress site to stop working.

“Attackers choose carefully the location of their new files to hide them,” Sobrier said.

While some of the hijacked sites have been blacklisted by Google Safe Browsing, majority of them are not flagged, Sobrier said. The visitors to these WordPress sites are all redirected to one of the two scam sites, or Neither site was blacklisted by Google Safe Browsing at the time Sobrier wrote the post.

These hijacked sites were legitimate WordPress sites which had been hacked specifically for the campaign, Sobrier said. The scammers appeared to be sending out spam to propagate the link to the hijacked Websites.

Even though work-from-home scams are not new, Sobrier felt this particular campaign was “one of the biggest campaigns” due to the number of hijacked Websites. This campaign just illustrates how compromising thousands of Websites to redirect traffic to a malicious site can be “very easy, and very cheap” to do, Sobrier said.

Advertisement. Scroll to continue reading.

The malicious scam site almost always takes on the appearance of a media outlet, including legitimate ones such as NBC or made-up outlets with “newsy” names, with a news article touting the success of the particular “opportunity.” It usually goes along the lines of how someone was able to make several thousand dollars a month from home. Most of them are also well-designed, with fake ads and links to news summaries.

“Work at home” scams have been around in some shape or form for a long time, and scammers are continuously finding new ways to target victims. Many of the sites take advantage of localization capabilities in order to modify the title of the article to reflect the site visitor’s geographic location.

Earlier this year, many of the scam sites started displaying Facebook Like icons on their pages to convey a sense of legitimacy. Facebook allows you to embed any Like widget on any website, even if the domains or URLs do not correspond. Scammers are using this trick to appear more legitimate, by tricking visitors into thinking their website has been visited and liked by many people.

Zscaler researchers also found that several work from home sites appeared earlier this year on the list of the top-20,000 most visited sites in the world.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...