3,500 websites compromised - ShiftDelete.Net Global

ShiftDelete.net
FOLLOW US

3,500 websites compromised

More than 3,500 websites worldwide have been silently compromised using JavaScript code used for browser-based crypto mining.

3,500 websites compromised

More than 3,500 websites worldwide have been silently compromised using JavaScript code used for browser-based cryptomining. These attacks, once common with tools like CoinHive, were stopped in recent years by browser manufacturers’ measures. However, a new campaign has resurfaced this attack method.

Browser-based attacks are back

Security researchers announced that analysis conducted by c/side identified a cryptominer embedded in JavaScript, hidden and obscured. This code tests the device’s processing power, runs Web Workers in the background, and initiates the mining process without any warning or slowdown.

More strikingly, the attackers use WebSocket technology to pull tasks from external servers and dynamically adjust the mining intensity based on the device. This avoids conspicuous use of system resources, allowing the attack to run undetected for extended periods.

Researcher Himanshu Anand stated that this method was designed with a specific focus on stealth. Users are unknowingly recruited into the cryptocurrency mining process through the sites they visit, silently transforming their systems into a source of revenue. How the websites were compromised remains unclear.

It has been revealed that the JavaScript miner code hosted by the attacked sites was previously used in Magecart attacks aimed at stealing credit card information. This suggests that the attackers are operating with multiple objectives, such as crypto mining and financial data theft, using a single infrastructure.

The fact that both mining and payment form injection are carried out using the same domains demonstrates that attackers have turned JavaScript into a versatile weapon. A series of attacks in recent weeks have focused particularly on WordPress-based websites.

Attackers execute malicious JavaScript by redirecting users through a legitimate link within the Google OAuth system. Furthermore, Google Tag Manager (GTM) code is injected directly into the WordPress database, redirecting visitors to spammy sites.

Some attacks target the core files of WordPress sites. Malicious PHP code is inserted into the wp-settings.php file to establish a connection to command and control servers, manipulating search engine rankings and spreading spam content.

Malicious code embedded in themes also causes browser redirects. Fake plugins that detect search engine bots and serve spam content specifically for them have also been detected. One of the most notable cases was the supply chain attack on versions 2.9.11.1 and 2.9.12 of the popular WordPress plugin Gravity Forms.

The backdoored versions, distributed through the official download page, establish a remote connection, download additional malware, and create a new administrator account on the system. The plugin’s developer, RocketGenius, shared details about the attack, warning users about risks such as update blocks, unauthorized access, and data manipulation.

websites

SDN Comments 0 Comments

Comment

Related News

DDR4 RAM prices have peaked: A crisis is looming!
DDR4 RAM prices have peaked: A crisis is looming!
Audi unveils its new sports car
Audi unveils its new sports car
Interesting development regarding the Nvidia RTX 5060
Interesting development regarding the Nvidia RTX 5060
The series “Organize İşler” is taking shape
The series “Organize İşler” is taking shape

SDN Network

Sihirli Elma Yeşil Robot Tech Inside Pembe Teknoloji Future Flow Life

SDN.net

1250 BORREGAS AVENUE, #40, SUNNYVALE, CA
94089 ShiftDelete.Net LLC

info@shiftdelete.net

Shiftdelete.Net is a member of the Association of Internet Media and IT Reporters.

Desteklio