Thousands of sites WordPress hacked displays fake NFTs and discount pop-ups, tricking visitors into connecting their wallets to cryptocurrency drainers.
In the west, nothing is new. Cryptocurrency wallets are a prime target for hackers who use crypto drainers to drain their victims’ accounts.
And to do so, they flooded nearly 2,000 WordPress sites with fake NFTs and discount pop-ups to trick visitors into connecting their wallets to crypto drainers who automatically steal funds without their knowledge. Here again, WordPress is not free from all attacks, the latest having slipped through the LiteSpeed plugin flaw, endangering 5 million sites.
These sophisticated attacks use malicious scripts to turn visitors’ web browsers into brute force tools, undermining the security of users and their crypto holdings.
The scale and sophistication of the attack
The Website Security Company Sucuri revealed in March 2024 that hackers had compromised around 1,000 WordPress sites to promote crypto drainers via malicious ads and YouTube videos. Apparently unsuccessful in their initial campaign, they began deploying informational scripts on compromised sites to turn visitors’ web browsers into tools for brute-forcing admin passwords for other sites.
These attacks involved a group of approximately 1,700 brute force sites, including prominent examples like the Association of Private Banks of Ecuador website. The goal was to create a pool of sites large enough to potentially monetize as part of a larger campaign. According to cybersecurity researcher MalwareHunterTeam, hackers have now started monetizing the pool of sites to display pop-ups promoting fake NFT deals and crypto discounts.
While it is unclear how many compromised sites are currently displaying these crypto drainers, an Urlscan search shows that more than 2,000 compromised websites have loaded malicious scripts in the last seven days. Not all of them currently generate crypto pop-up scams, but that could change at any time. Malicious scripts are loaded from Dynamic-linx domain[.]com, which is the same URL Sucuri saw last month.
This script will search for a specific cookie (“ haw “) and, if it does not exist, will inject malicious scripts into the web page. The malicious code randomly displays a promotional pop-up, prompting victims to connect their wallet to mint a promising NFT or receive a discount on the website.
One click allows hackers to empty victims’ crypto accounts
BleepingComputer tested several sites hosting these scripts, and although there were initially a few pop-ups that did not attempt to connect to the wallets, they eventually started working again. When you click the login button, the scripts will initially show native support for MetaMask, Safe Wallet, Coinbase, Ledger, and Trust Wallet. And because they don’t do things by halves, they also manage “WalletConnect”, which supports many other wallets, thus significantly expanding the targeting reach.
Once a visitor connects the site to their wallet, the crypto drainer steals all the funds and NFTs from the account and transfers them to the hackers. It is worth noting that MetaMask will display a warning when visiting websites infected with these malicious scripts.
Crypto drainers are the bane of the cryptocurrency community, a sector already weakened since the surge in its flagship currency, Bitcoin, the conviction of FTX boss Sam Bankman-Fried, and most recently, the Google trial against hackers who made fake crypto apps available on its Play Store.
Source : Bleeping Computer, Sucuri, MalwareHunterTeam on X
1