Researchers have been able to pinpoint the source of the attacks, identifying various web-connected IP addresses hosting providers. When the attacks became known, IP addresses stopped operating. Only one continued.
“This IP address is 184.108.40.206, a Rackspace server, which hosts several infringing sites. Researchers contacted Rackspace to inform them of suspicious activity.
Hackers have exploited known vulnerabilities in the following add-ons:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
- Form Lightbox
- Hybrid Composer
- All former NicDark plugins (nd-booking, nd-travel, nd-learning, et al.)
Initial research identified the injection of scripts that drove site visitors to malicious content.
However, the campaign has evolved and added an additional script aimed at installing a backdoor on the targeted site.
Researchers advise users to keep going updates add-ons to their WordPress site and get the latest patches released to counter such attacks.
According to researchers, the attacks move from server to client. At the same time, they are becoming more sneaky and harder to identify.
Publishers, platforms and brands need to think about what to do to prevent malicious activity. They should consider enhancing them cyber-security their programs. This will help to remove any malicious hacker from it network and will reduce the risk for the finalists users.