Last year, a virus was spotted targeting hundreds of WordPress websites in order to reroute visitors to fake websites which contained Google Adsense. It was deduced that this was done to generate income by artificially increasing ad views. There has recently been an uptick in activity using the same virus.

Thousands of sites infected

Ben Martin from Sucuri reports that 10,890 websites have been infected by this virus since September 2022. Recently, there has been an increase in activity, with over 70 new malicious sites masquerading as URL shorteners. At the time of writing, almost 2,600+ sites had been found in 2023 alone.

Sucuri has identified 75 pseudo-short URL domains so far, here is what some of them look like:

The following is the most frequent primary payload script:

The malware goes to great lengths to conceal its presence from operators. When a visitor is logged in as an administrator or has recently visited an infected site, the redirections are disabled.

How to protect yourself

As always, users are strongly recommended to patch all software on their sites as well as secure wp-admin panels with 2FA or other access restrictions.

If your site has already been infected, reset the passwords for all access points, including admin credentials, FTP accounts, cPanel, and hosting.