WordPress websites are being hacked to hijack your browser — and then attack other sites

Hackers are building a base of compromised WordPress websites

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals are using compromisedWordPress websitesto form a huge army for credential stuffing attacks, experts have warned.

A report from cybersecurity researchers Sucuri spotted the campaign, and believe they know what its goal is - namely looking for vulnerable sites from thewebsite builder, where they can install a small script in the HTML templates. That script forces the website visitor’s computer to visit a different WordPress website (in the background, unbeknownst to the victim) and try to log in using different username and password combinations.

Once the victim cracks the login code, they would, still unaware, relay that information back to the attackers, and receive further instructions (another website to crack).

Building a base

Citing information from the HTML source code search engine, PublicHTML,BleepingComputerreported that there are currently more than 1,700 websites hosting this script, “providing a massive pool of users who will be unwittingly conscripted into this distributed bruteforce army.” Among the victims, the publication further reports, is the website of Ecuador’s Association of Private Banks.

Sucuri says it’s been tracking this threat actor in the past. Until now, the group used the same technique for a different purpose - to install the AngelDrainermalware. AngelDrainer is a piece of code that, as the name suggests, “drains” all of the funds a victim may have in their cryptocurrency wallets. To do that, the victim needs to connect their wallet (such as the MetaMask wallet, for example) to a crypto service. The group even built their own fake Web3 websites to get people to connect their wallets.

The researchers aren’t certain why the group decided to pivot into credential stuffing. One explanation is that they’re building a bigger base of compromised sites that can then be used to launch more destructive attacks - such as wallet draining campaigns.

“Most likely, they realized that at their scale of infection (~1000 compromised sites) the crypto drainers are not very profitable yet,” Sucuri concluded.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Moreover, they draw too much attention and their domains get blocked pretty quickly. So, it appears reasonable to switch the payload with something stealthier, that at the same time can help increase their portfolio of compromised sites for future waves of infections that they will be able to monetize in one way or another.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time