Posted on May 31, 2019 at 7:27 AM

Visitors Redirected to Malicious Sites by Hackers After Exploiting WordPress Plugin

We have all been able to notice that we are bombarded with more malicious redirects than ever and now we know the reason why. Security researchers are warning all of us that a recently patched vulnerability in some websites is used by hackers to redirect visitors to bad sites or to display deceiving popups.

Using the WP live Chat Support which is a plugin for the WordPress content management system, the patched vulnerability has been fixed. The attackers succeeded in exploiting this vulnerability simply by injecting JavaScript into the sites that use the plugin to provide an interface for their visitors to have real-time chats with the site representatives.

Cybersecurity experts believe that the hackers have attacked these sites using the unpatched version of the WP Live Chat Support in order to redirect visitors to bad sites or display confusing and unwanted ads. Specialists confirm that the attacks are not extensive but their number was good enough to alert the websites and their visitors.

Why did the attackers choose WordPress plugin?

WordPress is a very popular network, thus making cybersecurity specialists believe that its scale and open-source nature makes it a target for hackers to performs attacks. The vulnerabilities in WordPress plugins aren’t hot news but rather a problem that exists for a long, long time.  It is believed that the vulnerabilities in the underlying platform make it easy for hackers to succeed in exploiting them and achieve their goals. 

It doesn’t come as a surprise that with the emerging technological advancements, cybercriminals are more focused on finding new vulnerabilities in popular content management systems such as WordPress. Attackers can compromise the website simply by injecting malicious code into the unpatched vulnerability which can often be found either in the CMS or in the associated plugins, thus affecting the visitors of those sites. 

The unpatched vulnerability that exists allows any user visiting the website to update the plugin settings. Yet, the problem starts when evil-minded users are injecting malicious JavaScript in every place where the Live Chat Support icon can be found.

How did the hackers succeed in the attack?

The security researchers which have analyzed the nature of the attacks and how the hackers worked suggest that in order to execute the main script, the attackers used the injected script for a request sent to hxxps://blackwardago[.]com. 

Afterward, all the visitors of the site were redirected to a multitude of URLs that pushed deceiving popup ads, fake error notifications, and requests to allow other malicious websites to send them notifications. It seems that there are 47 sites which have been hit by the exploit of the attackers. According to the specialists, some caused bar redirects to the visitors of the sites, but there were also others that used patched versions of the plugin and didn’t cause such redirects. 

How website users can protect themselves?

Cybersecurity specialists are warning users that the attacks may become more frequent and damaging, thus they should constantly pay a lot of attention to the sites they do visit and be careful what information they are providing on the websites.