Our partners at Astra Security have discovered yet another vicious attack on Wordpress websites. If you own a Wordpress website and you aren't using Astra Malware security protection, it's time to do so!
Let's take a look at their report:
Although it is one of the most common attacks on WordPress, WordPress redirection hacks never cease to surprise. In a new strain of the hack identified by our security engineers, the malware redirects WordPress website to phishing pages of renowned companies such as Microsoft’s outlook, security, and antivirus companies as well as known malicious domains such as
and several other domains that we previously saw in the Buyittraffic WP redirection hack and Digestcolect redirection hack. We have seen a large number of WP sites increasingly getting targeted with this attack.
When you click on the infected website’s URL, it takes you to the legitimate Microsoft Outlook login page with hostname https://login.microsoftonline.com/ (see picture below).
When unsuspecting users authenticate on this form, they are then presented with a permission requesting Add-in – inserted/modified by the hacker – to gain apex-level access to their outlook account.
The hacker also presents other fake pop-ups emulating security and antivirus software prompting to scan their device for malware as depicted below:
Clicking on the Scan Now button can reveal your sensitive details to the hacker or give him complete access to your device.
The hack, like most WordPress redirection hacks, involves an injected malicious JS script.
The following script is just an example of the JS script we found on the database of the infected website.
As you can see, the script adds a redirection URL to hacker known domain ‘track.lowerthenskyactive.ga’.
On close investigation, our security team also found the following script injected into almost all .php files inside wp-content (plugins/themes) directory of the infected WordPress website.
Besides, all the .js files were also heavily infected with the following obfuscated code.
which decodes to –
Have you been hacked?
These are some other common hack symptoms that you should look out for here. We have compiled the most common hacked symptoms seen on WP websites here.
Or you can just scan your website with a malware scanner to confirm the hack. Here’s how Astra’s machine-learning powered Malware Scanner flags malware on websites:
The best solution, if you are confused about how to deal with this hack, is to hire a professional security team. Astra Security has helped thousands of websites get out of a hack safely. We take care of the matter end to end and in record time (<6 hours of your sign-up).
If for any reason you can not hire a security team, start with taking a backup and changing all the passwords (WP admin panel, database, etc.) if you still have access to your website.
Next, download the checksums of the core WP files and compare your current files with that. If it doesn’t make you lose a lot of work, replace the files altogether. Otherwise, check for unfamiliar changes and undo them. However, be very careful doing this as you may also delete a benign piece of script mistakenly.
Next, check the database tables for any rogue insertions.
After your website has been restored, ensure it becomes as hack-resistant as is possible.
This is how you can do this: