A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that’s been believed to be active since at least 2017.
The latest operation is said to have been under way since December 26, 2022, according to data from urlscan.io. A prior wave seen in early December 2022 impacted more than 3,600 sites, while another set of attacks recorded in September 2022 ensnared more than 7,000 sites.
The rogue code is inserted in the WordPress index.php file, with Sucuri noting that it has removed such changes from more than 33,000 files on the compromised sites in the past 60 days.
“In recent months, this malware campaign has gradually switched from the notorious fake CAPTCHA push notification scam pages to black hat ‘ad networks’ that alternate between redirects to legitimate, sketchy, and purely malicious websites,” Sucuri researcher Denis Sinegubko said.
images from Hacker News