The number of infections spiked last week, with hackers exploiting vulnerabilities in various plugins, including Simple Fields and the CP Contact Form with PayPal, the security vendor explained in a blog post.
Among the domains registered as part of the campaign are gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com and admarketresearch[.]xyz.
“We encourage website owners to disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.”
The attackers have also been observed abusing/wp-admin/ features to create fake plugin directories that contain more malware, for example by uploading zip compressed files using the /wp-admin/includes/plugin-install.php file to upload and unzip a compressed fake plugin into /wp-content/plugins/.
The two most common fake plugin directories spotted by Sucuri are /wp-content/plugins/supersociall/supersociall.php and /wp-content/plugins/blockspluginn/blockspluginn.php.
The firm has seen over 2000 infected sites thus far compromised in this campaign.
WordPress is by far the biggest culprit when it comes to hacked website platforms. It accounted for 90% of compromised websites spotted by Sucuri in 2018, up from 83% in 2018. There was a big drop to Magento (4.6%) and Joomla (4.3%) in second and third.