An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage, OptinMonster, and TrustPulse, turning those files into a way to break into the sites.
When a site administrator was logged in as the file loaded, the code created an admin account under the attacker’s control and installed a hidden plugin that opened a way back in. Ordinary visitors did not trigger it.
Any site that was hit should be treated as compromised. All three plugins are run by one company, Awesome Motive, which had not commented on the two larger plugins as of June 15.
Security firm Sansec disclosed the wider campaign on June 13, finding the same malicious code in JavaScript served for all three plugins.
PushEngage followed a day later with its own incident notice, confirming an attacker had served tampered copies of its script and that sites loading them could be taken over.
PushEngage, acquired by Awesome Motive years ago, is so far the only one of the three to issue guidance; OptinMonster and TrustPulse users have heard nothing official.
The window was not the same for each plugin. Sansec saw the malicious code in OptinMonster and TrustPulse for only about 25 minutes on June 12, first around 22:17 UTC and gone by 22:42. PushEngage’s exposure ran longer: several hours on June 12, and its script was still being served from some of the CDN’s servers into June 14.
So the two plugins with the most sites had the smallest window, and PushEngage had the largest.
Sansec estimates that the three plugins reach more than 1.2 million sites between them, the bulk of that OptinMonster, which alone has over a million active installs. PushEngage’s WordPress plugin has more than 9,000. That figure is reach, not damage: it counts sites that run the plugins, not sites that were broken into.
How the attack worked
The poisoned script did nothing on a normal page view. It acted only when a logged-in WordPress administrator loaded it, then used that admin’s session to take over.
That design is also why the WordPress dashboard cannot tell you whether you were hit: the backdoor is built to stay out of the admin screens, so the only reliable check is on the server itself.
In PushEngage’s case, the tampered files were its normal embeds, pushengage-web-sdk.js and pushengage-subscription.js, served from clientcdn.pushengage.com, the content-delivery network that pushes PushEngage’s script out to customer sites. OptinMonster and TrustPulse were hit through separate Awesome Motive CDN endpoints.
PushEngage says the rest of its systems were untouched: it found no sign that its main application or the servers holding customer data were reached.
By PushEngage’s own account, once the script ran with an administrator logged in, it:
- used that admin’s session to act with full permissions,
- created a new admin account under the attacker’s control,
- installed a plugin that does not show up in the dashboard, and
- sent the new login details and site…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
