According to a recent post from Sucuri, their website scanner detected an active distributed brute-force attack exploiting WordPress sites to steal other sites’ passwords. The attackers inject malicious scripts into the target websites, which execute whenever a visitor reaches those sites. Then, the scripts lure users into performing the action as directed, convincing them to hand over their data.
As explained, the researchers found this tactic in use for some time, attracting Sucuri’s attention for injecting crypto wallet drainers. The researcher followed the initial malware campaigns, observing two iterations. Even since February 2024, they found over 1200 websites infected with malware injected via cachingjs/turboturbo.js script.
Following this campaign, the researchers observed a shift in the attackers’ target, switching from injecting crypto drainers to brute-force scripts. So, when a visitor reaches the compromised website, the script hijacks the visitor’s browser and brute force passwords for other websites.
For this, the scripts are loaded to the browsers via https://dynamic-linx[.]com/chx.js
. Once the victim browser connects to the attacker’s server, it receives brute-force tasks from the server https://dynamic-linx[.]com/getTask.php
. This task arrives as a JSON file that includes all bruteforce parameters, such as the target site’s URL and a list of passwords to try. Upon successful brute-force of credentials, the browser sends the task completion intimation to the attackers’ server, asking for the next task.
The researchers have shared a detailed technical analysis of this campaign in their post. Since the attack happens sneakily, it gets difficult for the victim users to protect their passwords. Nonetheless, as the researchers suggested, users can still prevent the threat by setting up strong passwords for their accounts. Likewise, WordPress admins may restrict their sites’ login interface to trusted IPs only.
Let us know your thoughts in the comments.