WordPress websites are being hacked to hijack your browser — and then attack other sites

Cybercriminals are using compromised WordPress websites to form a huge army for credential stuffing attacks, experts have warned. A report from cybersecurity researchers Sucuri spotted the campaign, and believe they know what its goal is – namely looking for vulnerable sites from the website builder , where they can install a small script in the HTML templates. That script forces the website visitor’s computer to visit a different WordPress website (in the background, unbeknownst to the victim) and try to log in using different username and password combinations. Once the victim cracks the login code, they would, still unaware, relay that information back to the attackers, and receive further instructions (another website to crack). Building a base Citing information from the HTML source code search engine, PublicHTML, BleepingComputer reported that there are currently more than 1,700 websites hosting this script, “providing a massive pool of users who will be unwittingly conscripted into this distributed bruteforce army.” Among the victims, the publication further reports, is the website of Ecuador’s Association of Private Banks. Sucuri says it’s been tracking this threat actor in the past. Until now, the group used the same technique for a different purpose – to install the AngelDrainer malware . AngelDrainer is a piece of code that, as the name suggests, “drains” all of the funds a victim may have in their cryptocurrency wallets. To do that, the victim needs to connect their wallet (such as the MetaMask wallet, for example) to a crypto service. The group even built their own fake Web3 websites to get people to connect their wallets.  The researchers aren’t certain why the group decided to pivot into credential stuffing. One explanation is that they’re building a bigger base of compromised sites that can then be used to launch more destructive attacks – such as wallet draining campaigns.  “Most likely, they realized that at their scale of infection (~1000 compromised sites) the crypto drainers are not very profitable yet,” Sucuri concluded. 
window.sliceComponents = window.sliceComponents || {};

externalsScriptLoaded.then(() => {
window.reliablePageLoad.then(() => {
var componentContainer = document.querySelector(“#slice-container-newsletterForm-articleInbodyContent-saaieAhvaw7L4v35xPEy6L”);

if (componentContainer) {
var data = {“layout”:”inbodyContent”,”header”:”Are you a pro? Subscribe to our newsletter”,”tagline”:”Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!”,”formFooterText”:”By submitting your information you agree to the Terms & Conditions<\/a> and Privacy Policy<\/a> and are aged 16 or over.”,”successMessage”:{“body”:”Thank you for signing up. You will receive a confirmation email shortly.”},”failureMessage”:”There was a problem. Please refresh the page and try again.”,”method”:”POST”,”inputs”:[{“type”:”hidden”,”name”:”NAME”},{“type”:”email”,”name”:”MAIL”,”placeholder”:”Your Email Address”,”required”:true},{“type”:”hidden”,”name”:”NEWSLETTER_CODE”,”value”:”XTP-X”},{“type”:”hidden”,”name”:”LANG”,”value”:”EN”},{“type”:”hidden”,”name”:”SOURCE”,”value”:”60″},{“type”:”hidden”,”name”:”COUNTRY”},{“type”:”checkbox”,”name”:”CONTACT_OTHER_BRANDS”,”label”:{“text”:”Contact me with news and offers from other Future brands”}},{“type”:”checkbox”,”name”:”CONTACT_PARTNERS”,”label”:{“text”:”Receive email from us on behalf of our trusted partners or sponsors”}},{“type”:”submit”,”value”:”Sign me up”,”required”:true}],”endpoint”:”https:\/\/newsletter-subscribe.futureplc.com\/v2\/submission\/submit”,”analytics”:[{“analyticsType”:”widgetViewed”}],”ariaLabels”:{}};