WordPress injection attack and “affiliate ping-pong”

When talking about web attacks we tend to think of just defacement or malware distribution. As I shall show in this post, this is not always the case, though financial gain remains the common motive. The attack I describe below is all about driving web traffic, abusing affiliate schemes for profit. We have spoken before about affiliate abuse, back in here.

Late last week, I noticed something of a surge in reports of a particular threat: hoards of legitimate pages were being injected with a malicious JavaScript, pro-actively blocked as Mal/ObfJS-H. Thus far, the common link between the affected sites appears to be WordPress. One user report suggests that the malicious script is being added to the header.php template script used by WordPress.

The injected script is visible immediately after the closing HEAD tag within affected sites:

Deobfuscating this script reveals its purpose.

The injected script writes a script element to the page to load an additional script from a remote site. Based on the content of that script, either additional content is loaded (document.write("<iframe ...) or a redirection performed (window.location=h).

The snapshot below shows the web traffic observed when browsing a compromised site on a test machine. The traffic to the rogue redirection site is highlighted. As you can see, a couple of simple HTTP 302 redirects are used to bounce traffic between sites.

  • grey/black – traffic to the legitimate site
  • red – initial request (/in.cgi?2) to the redirect site (loading the remote script)
  • blue – second request (/in.cgi?3) from the added iframe. Server responds with HTTP 302 redirect.
  • green – request to affiliate/payment site, due to 302 redirect. Query string passes in what appears to be the username (presumably for payment purposes). Server responds with HTTP 302.
  • gold – third request to redirect site (/in.cgi?4), due to above 302 redirect.

The redirection and payment sites currently being used in this attack are both new – registered just last week. Both share the same administrative contact – an individual based in Saint-Petersburg (a quick search reveals something of a history for association with rogue domains).

Browsing to the root of the payment site reveals login links for the administrator and affiliates.

Looking through the HTTP headers from the payment site reveals a cookie being set, for the domain rich-traffic.com, storing the user name passed in the query string. Judging from the homepage, this site is clearly all about making money.

This crudely translates to:

Of course this is not the first time WordPress users have been hit. Generally speaking, Content Management Systems (CMS) present attractive targets for attacks thanks to a large user base and relatively poor uptake of patches or updates. In this particular attack however, an out of date WordPress installation does not appear to be the root cause – many of the sites I checked, appear to be running the latest available version (2.9.1 at time of writing).