At least 2,000 WordPress sites have been hacked as part of a new campaign that redirects visitors to scam websites.

Uncovered Tuesday by security researchers at Sucuri Inc., the hack exploits vulnerabilities in various third-party plugins, including Simple Fields and the CP Contract Form with PayPal.

The hackers gain access through the plugins to inject JavaScript that loads redirect scripts for sites such as admarketlocation and gotosecond2 in the targeted site’s theme. The script doesn’t stop there, also making modifications to the existing WordPress theme files that allow for the injection of additional malware, including PHP backdoors and hack tools.

“We encourage website owners to disable the modification of primary folders to block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices,” the researchers said.

While only slightly over 2,000 hacked WordPress installation have been detected so far, the number is likely to rise, since vulnerabilities like those found in the two named WordPress plugins can also be found in other plugins. WordPress is the most popular content management system on the internet, powering 35% of all websites, meaning that the scope for hacking is much larger.

“WordPress plugins are another example of third-party risks to websites and have been a frequent target in the past,” Ameet Naik, security evangelist at bot protection startup PerimeterX Inc., told SiliconANGLE. “A single compromised plugin can infect tens of thousands of websites in one stroke, hence they remain a popular attack vector.”

The technique here is quite similar to those used in the Magecart attacks where additional scripts are loaded from malicious domains, he explained. “These scripts can perform any action ranging from hijacking the user to a scam site, or sniffing personally identifiable information from form fields,” he said. “Website owners must be cautious while using external plugins and ensure they stay up to date with security patches.”

Mike Bittner, associate director of digital security and operations at digital security firm The Media Trust, said that campaigns that redirect users of legitimate sites to scam sites underscore the problems with relying on digital third parties.

“While digital third parties provide much-needed support to websites that must meet the growing demands of website users, they also expose site owners and users to security and privacy risks,” Bittner noted. “The code they run on today’s websites lies outside the website owners’ perimeter. As a result, owners don’t know who’s running what code on their sites, and what impact this might have on users.”

Meanwhile, he added, bad actors are capitalizing on this growing reliance on these digital third parties, who often bring their software to market without much thought given to security and privacy. “While this arrangement may have worked in the past, the passage of the California Consumer Privacy Act has shaken up the industry with stiff penalties and private right of action in case of a breach,” he said. “The upshot is that companies can no longer take privacy and security lightly.”

Photo: Pxfuel