WordPress Popunder Malware redirects to scam sites

Over the past year, we have seen an ongoing malware infection that redirects website visitors to fraudulent sites. So far this year, our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March 2021.

The reported behavior is always the same: after a few seconds of loading, the website will redirect to a dubious scam site.

Payload verification

The malware is still injected into the active theme’s footer.php file, and contains obfuscated JavaScript after a long string of empty lines, presumably trying to stay hidden:

Once we de-obfuscate this, we see the following snippet of malicious code:

Attackers frequently adjust the injection very slightly, but again and again we notice the same domains initiating the redirect:


Source of infection?

There doesn’t appear to be any particular vulnerable plugin or theme that attackers have exploited, and we’ve seen it appear on fully updated WordPress environments. It appears attackers are using compromised wp-admin admin accounts (either brute force, password stuffing or leaked credentials) and misuse the built-in file editor functionality to inject the malware.

Consideration should also be given to what the attackers are trying to get from these redirects. Although many users are immediately suspicious of what appears to be an obvious fake scam website, this is not always the case. Attackers wouldn’t redirect people to these websites if they didn’t benefit from them, so every once in a while someone will follow through and fall for the scam. Readers should check out our guide to how to stay safe online scams.

In conclusion

Readers should check out our guide to basic WordPress hardening to help secure your wp-admin admin panel. It boils down to a few key basic concepts:

  • Limit access to your administration area
  • Use multi-factor authentication
  • Use strong passwords
  • Limit the number of admin users on your website.

Of course, if you are a user of our firewall service, we can help you prevent unauthorized access quite easily by using the protected page security option!

Comments are closed.