Large Number of WordPress Hacks Silently Delivering Ransomware to Visitors

Mysteriously, a large number of sites running on WordPress have been hacked causing them to deliver  crytpo-ransomware and other malicious software, to visitors. Until last week, web security services were unaware of this massive lapse in security.

Three separate security firms have since come forward to report that visitors of a massive number of legitimate WordPress sites are being silently redirected to malicious sites, which host code from the Nuclear exploit kit.

Users with outdated versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer are highly susceptible to getting infected with Teslacrypt ransomware package. The ransomware encrypts files on the computer with a decryption key which can only be availed at a hefty ransom to restore user files.

“WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads,” Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. “This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit.”

Researchers at Heimdal Security Software wrote in a blog post: “The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use.” Hackers are exploiting an unidentified vulnerability with obfuscated JavaScript which redirects traffic to a domain called chrenovuihren. An online ad pops up on the site which forces traffic to the site hosting the Nuclear exploit kit.

“This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files.” Website security firm Sucuri, said in a statement in a blog post, Monday. “This malware uploads multiple backdoors into various locations on the webserver and frequently updates the injected code. This is why many webmasters are experiencing constant reinfections post-cleanup of their .jsfiles.”