Cybersecurity researchers at Malwarebytes discovered a number of WordPress (opens in a new tab) sites that have been hijacked and infected with a malicious plug-in that silently generates ad traffic.
In a blog post (opens in a new tab) detailing their findings, it said that “several dozen” WordPress sites had been compromised, and whoever was behind the attack had installed a backdoor called “fuser-master”.
Fuser-master is a piece of work. First, it generates a specific URL and if the user clicks on it, they are redirected to a legitimate blog but with a popunder page. This popunder, bought from another site, will display different ads.
Imitation of human behavior
The WordPress plugin will then mimic human behavior by scrolling down the page a bit before clicking on the ad. If the user scrolls, moves the mouse or clicks anything, the plug-in will stop working, further hiding its presence.
It was also said that the popunder page refreshes from time to time, loading additional ads in the process. Moreover, if the visitor closes the browser and sees a pop-up window, all traffic activity will be stopped.
In total, Malwarebytes found 50 blogs attacked by fuser-master. The researchers further found that one site had around 4 million visits in January alone, adding that the average visit time over that period was nearly 25 minutes.
The authors of Fuser-master have gone to great lengths in an attempt to conceal their identities. Not only does the plugin try to hide, but no references to the plugin, author’s name, or download page could be found anywhere. The only thing Malwarebytes researchers could find was one mention of a WordPress theme detector on themesinfo.com.
At first glance, most blogs look legitimate. However, once the user enters the specified URL and other parameters, the site turns into an advertising scam hub.