Malicious Code Causes WordPress Sites To Redirect To Scams

Outdated plugins exposed WordPress sites to hackers.

Earlier this month, security researchers uncovered an alarming find: thousands of WordPress sites had been attacked and had malicious code injected into their pages. By going after vulnerabilities in outdated plugins, hackers caused these pages to redirect to tech support scams. These phony pages inform the site visitor that their computer has been infected and needs to be cleaned.

Tech support scams are nothing new, unfortunately.

Popup boxes, browser pages that redirect, even spam emails and phone calls all try to convince unsuspecting users that their computers have been infected. By contacting the sender for assistance, they’re actually falling victim to multiple avenues of threat. Sometimes it’s a demand for payment to clean out the bogus infection, other times it’s a subscription fee to allegedly provide protection against future attacks.

Many tech support scams have included remote access to the victim’s computer–which they willingly provide when the scammer claims to need to take over the computer and remove an infection–which gives the scammer the ability to actually install a virus, root around in the victim’s files, and more.

A step backwards?

Google tried cracking down on tech support scams by blocking ads from any unverified support companies, but that may have actually led to this issue with WordPress. Without that revenue stream coming in, scammers have found other ways to get victims to comply.

The government has also made some headway in tackling tech support scammers, but the mechanism of lying to a victim in order to get them to call can have some effect on the criminal charges. You called me, remember? If the scammer can get the victim to comply and then agree to pay for a free virus scan and some AV software–whether or not they need it–it could become a simple matter of buyer-beware instead of fraud.

For now, WordPress users are encouraged to check their sites from a non-login visit in order to see if their pages redirect. Also, if you’re using any outdated plugins, it’s time to refresh those and block this kind of activity.