Thousands of WordPress websites have been compromised and injected with JavaScript code that redirects users to tech-support scam pages.

Security researchers discovered that the attacks began in early September and exploited vulnerabilities in outdated plugins.

Jérôme Segura of Malwarebytes says that on the client side he observed a large encoded blurb, typically in the HTML header, or one line of code pointing to external JavaScript code.

The code in the HTML header would deobfuscate to something like this:

In some cases, the link to the malicious script is present in the 'wp_posts' table of the WordPress database, which stores all the content posts, pages, and their revisions, along with navigation menu item, media files, and content used by plugins.

Some website owners also spotted the compromised 'wp_posts' table as did Sucuri in their analysis after noticing an infection surge; they say that sometimes the threat actor does not bother to hide the link to the malicious JavaScript.

Crims are scrambling to get back their tech-support biz

This activity may be the result of the recent decision from Google to ban tech-support ads from unverified operators. The new policy will roll out over the course of a few months, and it was announced on Friday, August 31, awfully close to the "early September" period when Malwarebytes pinned the beginning of the attacks.

Crooks would mimic the practices of legal businesses and  use a legitimate advertisement platform to promote their tech-support services. This would paint them as trustworthy in the eyes of the potential victim.

The recently observed attacks follow the classic recipe to convince users to call for tech support: a redirect to a page showing a warning about viruses running rampant on the computer, and a convenient toll-free support phone number.

Tech-support scams are not the only game

Talking to BleepingComputer, Segura said that redirects to tech-support are not the only activity he's seen in these attacks.

He told us that "they are also pushing ads for some geolocations and user agents," a fraudulent activity that scams the advertiser, not the user visiting the ads, who is left with the annoyance of being diverted from content they want to see.

Segura also says that he's also seen campaigns designed to redirect to websites that inject the CoinHive JavaScript miner, allowing the attacker to spend the resources of users' computers to mint Monero cryptocurrency for as long as the compromised page is opened.

The security researcher recommends website owner affected by these attacks to be thorough in cleaning up, and check the pages as well as databases. They should also identify thee vector of the compromise, "which often times is an outdated WordPress installation or plugin."

He added that the number of compromised WordPress websites increased in the last few days.

Related Articles:

Scammers Cashing In on Free TK Domains & Ad Fraud

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

New Sextortion Scam Pretends to Come from Your Hacked Email Account

Roaming Mantis Group Testing Coinhive Miner Redirects on iPhones

Sites Trick Users Into Subscribing to Browser Notification Spam