Security researchers discovered that the attacks began in early September and exploited vulnerabilities in outdated plugins.
The code in the HTML header would deobfuscate to something like this:
In some cases, the link to the malicious script is present in the 'wp_posts' table of the WordPress database, which stores all the content posts, pages, and their revisions, along with navigation menu item, media files, and content used by plugins.
This activity may be the result of the recent decision from Google to ban tech-support ads from unverified operators. The new policy will roll out over the course of a few months, and it was announced on Friday, August 31, awfully close to the "early September" period when Malwarebytes pinned the beginning of the attacks.
Crooks would mimic the practices of legal businesses and use a legitimate advertisement platform to promote their tech-support services. This would paint them as trustworthy in the eyes of the potential victim.
The recently observed attacks follow the classic recipe to convince users to call for tech support: a redirect to a page showing a warning about viruses running rampant on the computer, and a convenient toll-free support phone number.
Talking to BleepingComputer, Segura said that redirects to tech-support are not the only activity he's seen in these attacks.
He told us that "they are also pushing ads for some geolocations and user agents," a fraudulent activity that scams the advertiser, not the user visiting the ads, who is left with the annoyance of being diverted from content they want to see.
The security researcher recommends website owner affected by these attacks to be thorough in cleaning up, and check the pages as well as databases. They should also identify thee vector of the compromise, "which often times is an outdated WordPress installation or plugin."
He added that the number of compromised WordPress websites increased in the last few days.