Compromised WordPress-based websites redirect users to explicit sites
The Dell SonicWALL Threats Research team discovered mass defacements of various WordPress based websites which include government websites in the Asia Pacific regions. These reputable domains are typical targets for cybercriminals as their platform for carrying out malicious activities because these sites are less likely to be blocked by security software.
Decrypting and analyzing the code reveals that the attacker is ensuring one visit per browser session by using traditional cookies. It creates a cookie named 'doRedirect' when visiting the compromised website and redirects the browser to a malicious explicit URL shortened using Google's URL shortening service. Subsequent visits to the compromised website will no longer be redirected.
Figure 3: URL redirect using bit.ly & adfoc.us
Statistics on two different "goo.gl" URLs we found which redirect to the same explicit website show how widespread this attack is. Garnering over 15,000 clicks in a day and totaling to over 300,000 clicks since the shortened link was first created targeting many regions of North America, Asia and Europe.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: FakePostePay.A (Trojan)