Javascript Injections Affecting WordPress Sites Globally

Have you been to a website recently only to be redirected to another site? These sites you get redirected to are filled with malicious content, ads or scam pages. If you have, good news is, you are not the only one who has fallen victim to this cheeky antic. There has been a massive increase in websites infected with a relatively unknown javascript injection method. Reports from various wordpress security and site cleaners suggest that there are millions of WordPress websites affected. We would like to point out that the sites that redirect to these other sites are ones that have been hacked. The reason we are creating this article is to explain what has happened and how.

 

So what has been affected? How bad is it? Well, to be honest the extent of which these injections have been done is quite big. While the effects are not good the damage can be quite bad if they were to change the scope of their attack. Sites that have been affected typically have their jquery.min.js jquery-migrate.min.js infected with encrypted javascript. Once the attackers have compromised the website in question they actively scan for javascripts with the name “jquery” in them. Once they have found a list of files in question they inject CharCode in to each file. By doing this they are actively covering up their tracks and trying to evade detection.

The Result of The Injections

What ends up happening with these injections is they redirect to a list of other sites, ultimately leading up to the last site in the redirection list. This site typically has a series of ads, malicious content or is a scam page. Some people will not see these redirects or even be aware of what is happening. The effects it can have on their machine can be minimal, however there is no telling what information these pages could get from an unsuspecting user.

Detecting Whether Your Site Has Been Affected

The great news is that it is a fairly straight forward process to work out whether your website is infected or not. The first way, you can do the test yourself by visiting Sucuri’s SiteCheck tool. The second is to get one of our WordPress developers to check over your site. If your site has been infected, the process required to fix the issue is straight forward and can often be cleaned up within an hour or so. If you have a backup of your website that is clean then that is by far the quickest way. However, either way you will need to have your plugins, themes and WordPress core updated to the latest versions.

How Long Has This Particular Hack Been Happening?

The first detections of this javascript injection campaign occured around the 9th of May, 2022. Most sites initially infected were redirecting to drakefollow.com. Other variations are now starting to show their heads as well now that some time has passed. The method being used to get in to each affected website so far has been through various vulnerabilities across popular WordPress themes and plugins, along with some older versions of WordPress.

I Believe My Site is Infected, What Can I Do?

As we mentioned earlier, you can try testing your site with Sucuri’s SiteCheck tool. Alternatively one of our team members can help by doing a scan of your site to see if it is infected. If either method does detect occurances of the injection in your website, the good news is that it can be cleaned up. After the site has been cleaned up, and certainly as a part of the process. We would recommend from an ongoing standpoint, and certainly as a part of the clean up process… To update the website plugins, theme and WordPress core where possible and needed.