WordPress sites are being attacked with another major plugin hack
Malicious WordPress plugin generates ad traffic for its unidentified creators
Cybersecurity researchers from Malwarebytes have discovered a number of WordPress websites that were compromised and infected with a malicious plugin that quietly generates ad traffic.
In a blog post detailing their findings, it was said that a “few dozen” WordPress websites were breached, and whoever was behind the attack installed a backdoor called “fuser-master”.
Fuser-master is quite the piece of work. It first generates a specific URL, and if a user clicks it, they will be redirected to the legitimate blog, but with a popunder page. That popunder, purchased from a different page, will serve various ads.
Mimicking human behavior
The WordPress plugin will then mimic human behavior, scrolling through the page a bit, before clicking on an ad. If the user scrolls around, moves the mouse, or clicks anything, the plugin will stop its activity, further hiding its presence.
The popunder page was also said to be refreshing itself from time to time, loading additional ads in the process. What’s more, if the visitor closes the browser and sees the popunder, any movement activity will stop.
In total, Malwarebytes found 50 blogs compromised with fuser-master. One of the sites had some 4 million visits in January alone, the researchers further said, adding that the average visit duration in this period was almost 25 minutes.
Fuser-master’s authors went the distance trying to hide their identities. Not only is the plugin trying hard to hide, but it was impossible to find any references for the plugin, the author name, or a download site, anywhere. The only thing Malwarebytes’ researchers managed to find is one mention of a WordPress theme detector on themesinfo.com.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
At first sight, most of the blogs there look legitimate. However, when a user enters the specific URL and other parameters, the site is turned into an ad fraud hub.
- Check out the best firewalls
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.