Fake jQuery Migrate plugin infected many WordPress sites

Fake jQuery Migrate plugin
Written by Emma Davis

Researchers Denis Sinegubko and Adrian Stoyan have found fake versions of jQuery files on dozens of sites that mimic the jQuery Migrate plugin for WordPress running on 7.2 million sites.

Such forgeries contain obfuscated code to download malware, and it is not yet clear how these scripts end up on the pages of compromised resources.

To make detection more difficult, these malicious files replace legitimate files at ./wp-includes/js/jquery/, where WordPress usually stores jQuery files. So, files jquery-migrate.js and jquery-migrate.min.js contain obfuscated code that additionally loads a strange analytics.js file with malware inside.

We recently see many websites with replaced ./wp-includes/js/jquery/jquery-migrate.min.js It loads malware from hxxps://stick.travelinskydream[.]ga/analytics.js.researcher Denis Sinegubko said on his Twitter account.

Although the full scope of this problem has not been determined, Sinegubko also shared a search query that helps detect more than three dozen pages infected with this “analytic script”.

Bleeping Computer writes that in fact this script, of course, has nothing to do with analytics. For example, the code contains links to /wp-admin/user-new.php: the WordPress admin page for creating new users. Moreover, the code accesses the _wpnonce_create-user variable, which WordPress uses to provide CSRF protection.

Fake jQuery Migrate plugin
Also, the “analytical script” can direct visitors to pages with fake polls, sites of fake technical support, forcing them to subscribe to spam or download dangerous browser extensions.

Injecting scripts like these on a WordPress site lets attackers conduct a variety of malicious activities including anything from Magecart scams for credit card skimming to redirecting users to scam sites.Bleeping Computer journalists write.

In the examples that Bleeping Computer researchers found, malicious pages prompted the user to allow notifications, ostensibly to make sure they weren’t a robot, or led to pages with fake polls aimed at collecting user data.

If your website uses WordPress or popular JavaScript plugins such as jQuery Migrate, it is recommended that you regularly conduct a thorough security audit and check for anomalies that could indicate signs of malicious activity.

Let me remind you that I wrote that Vulnerabilities in WordPress plugin put 100,000 sites at risk.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply