Hackers exploit known vulnerabilities that have been identified in popular add-ons WordPresssuch as "Coming Soon and Maintenance Mode", "Yellow Pencil Visual CSS Style Editor" and "Blog Designer". These add-ons are installed on thousands of websites.
The malvertising campaign, identified by the Defiant team, provokes the appearance unwanted pop-ups advertisements on sites and on redirecting users to malicious destinations.
In the beginning, the victims are led to a domain that controls the type of the visitor's device. Then, malicious code redirects them to malicious destinations, which can include technical support scams, malicious Android APKs, and various ads.
To carry out the campaign, the hackers they used cross-site scripting (XSS) vulnerabilities, which had been identified in Blog Designer and Coming Soon and Maintenance Mode, and an issue related to authentication that was detected in the Yellow Pencil.
"The vulnerability of Yellow Pencil could allow attackers to take full control of a site," the researchers said.
This vulnerability had been used in another hacking campaign in April.
The vulnerability is detected in the yellow-pencil.php file and can give the attacker administrator rights.
As far as cross-site scripting (XSS) vulnerabilities are concerned, most of them identified in this campaign were sent from IP addresses that were associated with popular hosting providers.