‘Master134’ Abuses Thousands of Compromised WordPress Websites in Malvertising Campaign

Delaware, USA – July 31, 2018 – Experts from Check Point uncovered a large-scale malvertising campaign, which was used to redirect users to Exploit Kits landing pages and technical support scammers’ websites. During the investigation of one of the RIG EK campaigns, the researchers found the Master134 server, to which scripts on the hacked websites redirected users. Then the server redirects users to one of the Ad-Network’s advertising page, from where the user lands on a page with malware. Further investigation revealed that the attackers compromised over 10,000 websites with WordPress CMS 4.7.1 installed, for which there is a known exploit for remote code execution. The campaign continues, and every week more than 40,000 users are redirected to malicious sites. Threat actor behind Master134 campaign was active at least since April 2017 and participated in campaigns distributed ransomware and banking trojans via RIG, Magnitude and GrandSoft Exploit Kits. In each campaign, the attackers bought advertising traffic from AdsTerra Advertising Network, which had previously been involved in malvertising campaigns.

This is not the first case of mass exploitation of WordPress sites in similar campaigns. In January, the EvilTraffic campaign involved more than 18,000 compromised WordPress sites. To protect your web resources from cyber attacks, you need to install security updates timely. Furthermore, you can use your SIEM with Web Application Security Framework to detect web application misuse and breach attempts in the early stages.