A recent decision from Google to prohibit technical
support advertisements from unverified operators leads to the trading off of
thousands of Wordpress websites on the while being injected with JavaScript
code that side-tracks users to these technical support scam pages.
Jérôme Segura of Malwarebytes was the one who pinned
the attacks as they began in early September. He observed a substantial encoded
ad spot, usually in the HTML header, or one line of code indicating the
external JavaScript code.
The code in the HTML header would deobfuscate to something like this:
 |
The as of late observed attacks take after the
classic formula to persuade users to call for technical support: a divert to a
page demonstrating a notice about viruses running uncontrolled on the PC, and
an advantageous toll-free support phone number.
Segura while talking with the Bleeping Computer says
that, "We are pushing ads for some
geolocations and user agents, we’ve also seen campaigns designed to redirect to
websites that inject the CoinHive JavaScript miner, allowing the attacker to
spend the resources of users' computers to mint Monero cryptocurrency for as
long as the compromised page is opened.”
A few sites apart from Malwarebytes have also
likewise recognized the compromised 'wp_posts' table of the WordPress database,
which stores all the content posts, pages, and their corrections, alongside
navigation menu item, media records, and substance utilized by plugins.