Skip to main content

WordPress Tech Support Redirection Campaigns

New campaigns have been observed targeting outdated WordPress installations and related plugins to enrol affected users in technical support scams or redirect them to malicious sites.
Threat ID:
CC-2625
Category:
Threat Severity:
Medium
Threat Vector:
Published:
26 September 2018 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

New campaigns have been observed targeting outdated WordPress installations and related plugins to enrol affected users in technical support scams or redirect them to malicious sites.

Affected platforms

The following platforms are known to be affected:

WordPress Core

  • WordPress Core - All versions

Threat details

The campaigns appear to be using multiple attack vectors to compromise WordPress websites, including; JavaScript injection attacks on unpatched sites, exploiting vulnerabilities in themes or plugins and altering code in WordPress databases.

Compromised sites are then used for a variety of purposes, including:

  • redirecting users to other sites for malvertising and ad-fraud purposes.
  • loading a CoinHive cryptocurrency miner on the user's device.
  • displaying fake malware warnings directing users to contact the threat actors for technical support, at which point they will install further malware to gain control of the user's device.

Remediation steps

Type Step

WordPress administrators are encouraged to update both their WordPress Core installations, as well as all related plugins and themes, to the latest available versions.

A full catalogue of WordPress Core can be found here.

Last edited: 17 February 2020 12:58 pm