Security researchers at Sucuri have discovered that thousands of WordPress websites are infected with an unknown type of malware.
The researchers explained that the malware redirects visitors from an infected website to another website, where it loads ads hosted on Google Ads, generating revenue for the site owner.
Sucuri researchers discovered that an unknown malicious actor was able to compromise 11,000 websites through the content management platform (WordPress).
WordPress is the most popular web hosting platform in the world and is generally considered secure. However, they also offer countless add-ons, some of which have very serious vulnerabilities.
Although the researchers were unable to identify the exact exploit used to proliferate this malware, they suspect that the attackers may have automated the process and potentially exploited all known unpatched vulnerabilities.
The researchers said the malware simply works, when users visit an infected site, they are redirected to another question-and-answer site that displays ads on Google's advertising platform. This will trick Google into paying campaign owners for views without knowing that those views were obtained fraudulently.
Sukori has been following similar activities for months. In late November, researchers unveiled a similar campaign that had infected nearly 15,000 WordPress sites. However, the difference between the two campaigns is that in last year's campaign, the attackers did not try their best to hide the malware, and instead installed more than 100 malicious files on each site.
The researchers said that the attackers went to great lengths in the new campaign to try to hide the presence of the malware. They also make malware more resistant to countermeasures and stay on the site for as long as possible.
To avoid such attacks, the researchers recommend updating the website and all plugins, and securing the wp-admin panel with strong passwords and multi-factor authentication.
Those already infected can follow Sucuri's instructions and must change all passwords and put the website behind a paywall.