Attackers have transformed hundreds of hacked sites running WordPress software into command-and-control servers that force visitors’ browsers to perform password-cracking attacks.

A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago. Denis Sinegubko, the researcher who spotted the campaign, said at the time that he had seen thousands of visitor computers running the script, which caused them to reach out to thousands of domains in an attempt to guess the passwords of usernames with accounts on them.

Visitors unwittingly recruited

“This is how thousands of visitors across hundreds of infected websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites,” Sinegubko wrote. “And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests.”

Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system. The script—just 3 kilobits in size—reaches out to an attacker-controlled getTaskURL, which in turn provides the name of a specific user on a specific WordPress site, along with 100 common passwords. When this data is fed into the browser visiting the hacked site, it attempts to log into the targeted user account using the candidate passwords. The JavaScript operates in a loop, requesting tasks from the getTaskURL reporting the results to the completeTaskURL, and then performing the steps again and again.

    • Lath
      link
      fedilink
      39 months ago

      Maybe. In part it depends on Google. I reported a case on safebrowsing. What they did with that and how many such reports were made remains anyone’s guess.

  • AutoTL;DRB
    link
    English
    19 months ago

    This is the best summary I could come up with:


    A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago.

    Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system.

    When this data is fed into the browser visiting the hacked site, it attempts to log into the targeted user account using the candidate passwords.

    Roughly 0.5 percent of cases returned a 200 response code, leaving open the possibility that password guesses may have been successful.

    As Sinegubko notes, the more recent campaign is significant because it leverages the computers and Internet connections of unwitting visitors who have done nothing wrong.

    NoScript breaks enough sites that it’s not suitable for less experienced users, and even those with more experience often find the hassle isn’t worth the benefit.


    The original article contains 609 words, the summary contains 148 words. Saved 76%. I’m a bot and I’m open source!