Wednesday 26th September 2018

Thousands of WordPress websites infected by new malware that maliciously redirects unsuspecting visitors

According to security firm Sucuri, the alleged "main contributors" to the spread of the infection are the tagDiv Newspaper theme and the Ultimate Member Plugin. Conservative estimates suggest the malware has infected at least 2,200 websites.
Jason Smith
by on 23rd August 2018

At least 2,200 WordPress websites have been infected by new malware that maliciously redirects visitors to third party websites to mislead them into accepting requests for browser notifications, according to a post published by cyber security firm Sucuri.

The malicious redirects send users to various URLs on the domain utroro.com, at which point they are seemingly served browser notification opt-ins masquerading as reCAPTCHA images.

The captions beside the reCAPTCHA images ask users to “click allow to verify you’re not a robot”.

According to Sucuri, the script that redirects users is served from two separate domains: eeduelements.com and allyouwant.online. It estimates that the script served from the former domain has infected 1,700 websites, while the latter has infected 500 websites.

It also alleges that both the tagDiv Newspaper theme and the Ultimate Member plugin are the “main contributors to this wave of infections”.

According to the WordPress plugin repository, the Ultimate Member plugin has been installed more than 100,000 times, while tagDiv’s Newspaper theme has been purchased more than 65,000 times on popular WordPress theme repository ThemeForest.

In tagDiv’s case, the vulnerability appears to be an old one that has since been patched.

The Ultimate Member plugin was also updated on 13th August however it’s believed that announcements accompanying that update may have led to more attempts to exploit the vulnerability before WordPress administrators had an opportunity to update their plugins.

Sucuri’s estimate on the scale of the infections was pulled from Public WWW, a premium “search engine for source code”. Public WWW will only indicate the presence of source code if that source code is in its database.

In other words, Sucuri’s estimate is only hints at the potential scale of the infection.

The security firm also reports that non-WordPress websites may also have been infected. It states:

“If [an] account has more than one site, all the sites will be infected (even if they don’t have the Ultimate Member plugin or any vulnerable components).

“Non-WordPress sites will be infected too. Moreover, all neighboring sites that share the same account will continue to be reinfected unless all of them are properly cleaned and hardened”.

It recommends all webmasters utilizing tagDiv’s Newspaper theme or the Ultimate Member Plugin update to the new versions as soon as possible. It outlines further steps webmasters can take to mitigate the infections in its blog post (linked above).