Massive WordPress JavaScript Injection Campaign Redirects to Ads

Our remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third party websites with malicious resources, scam pages or commercial websites with the aim to generate illegitimate traffic.

As detailed in our latest Hacked Websites Report, we have been tracking a long-running campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign exploits known vulnerabilities in WordPress themes and plugins and has impacted a huge number of websites over the year – for example, according to PublicWWW, the April wave of this campaign was responsible for nearly 6 000 infected web pages alone.

Since these PublicWWW results only show detections for simple script injections, we can assume the scope is considerably greater.

Investigate obfuscated JavaScript in WordPress sites

We recently received a number of clients complaining about unwanted redirects on their WordPress websites. Interestingly enough, they turned out to be linked to a new wave of this massive campaign and sent website visitors through a series of website redirects to serve them unwanted advertisements.

The customers all shared a common problem: malicious JavaScript had been injected into their website files and database, including legitimate WordPress core files such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

Once the website was compromised, the attackers attempted to automatically infect .js files with jQuery in names. They injected code that starts with “/* trackmyposs*/eval(String.fromCharCode…”

However, it was clear that the attackers took some steps to evade detection and obfuscated their malicious JavaScript with CharCodeas seen below.

Malicious JavaScript injection hidden by CharCode

Once unobfuscated, the true injection behavior emerged.

Deobfuscated malicious JavaScript redirects site visitors on page load
Deobfuscated malicious JavaScript redirects site visitors on page load

This JavaScript was added under the current script or under the page header where it was triggered on every page load, redirecting site visitors to the attacker’s destination.

Malicious chain of redirects

To accomplish these redirects, the malicious injection creates a new script element with the legendary table[.]com domain as source.

The code of the legendary table[.]com domain then calls a second external domain — local[.]follow the drake[.]com — who calls from connections[.]follow the drake[.]com, redirect the site visitor to one of many different domains, including:

  • bluestringline[.]com
  • browntouchmysky[.]com
  • redstringline[.]com
  • whitetouchmysky[.]com
  • gregoryfavorite[.]space
  • gregoryfavorite[.]High
  • push now[.]report/

At this point, it’s free for everyone. Domains at the end of the redirect chain can be used to load advertisements, phishing pages, malware, or even more redirects.

From the site visitor’s perspective, they will simply see the next malware page before landing on the final destination.

Malicious redirect landing page
Malicious redirect landing page

This page tricks unsuspecting users into subscribing to push notifications from the malicious site. If they click on the fake CAPTCHA, they will be chosen to receive unwanted ads even when the site is not open – and the ads will appear to come from the operating system, not a browser.

These sneaky push notification activation maneuvers are also one of the most common ways for attackers to display “tech support” scams, which inform users that their computer is infected or slow and that they should call a toll-free number to resolve the problem.

Malicious JavaScript detection via SiteCheck

Client-side redirects are initiated by site visitors’ browser once the infected web page has been loaded. Since this particular infection is on the client side, remote website scanners such as SiteCheck can help scan a website and identify this malware.

Here is an example of a SiteCheck results page for this specific campaign.

SiteCheck results for malicious JavaScript injection
SiteCheck results for malicious JavaScript injection

At the time of writing, PublicWWW has reported 322 websites affected by this new wave of malware. follow the drake[.]com domain. Since this number does not include obfuscated malware or sites that have not yet been scanned by PublicWWW, the actual number of websites affected is likely much higher.

Conclusion and Mitigation Steps

Our team has seen an influx of complaints for this specific wave of the massive campaign targeting WordPress sites starting May 9, 2022, which has already affected hundreds of websites at the time of writing.

The attackers were found to target several vulnerabilities in WordPress plugins and themes to compromise the website and inject their malicious scripts. We expect hackers to continue registering new domains for this ongoing campaign as soon as existing ones are blacklisted.

If you suspect that your website has been infected with malicious JavaScript or if you have found unwanted spam redirects or advertisements on your site, you can use our free remote website scanner to detect the malware.

Website owners who have identified malware on their website can take advantage of the instructions in our hacked WordPress cleanup guide – and, as always, we’re happy to help clean up an infection if you need help. a hand.

Comments are closed.