Malware campaign infects over 20,000 WordPress sites worldwide

Security researchers from GoDaddy have discovered a major malware campaign that has infected over 20,000 WordPress websites worldwide. This campaign is known as "DollyWay," and it has been active since 2016. DollyWay aims to redirect visitors to fake websites related to gambling, dating, crypto, and sweepstakes. The malware has evolved over time and now generates about 10 million impressions each month, helping the operators earn significant profits. The campaign uses vulnerabilities in WordPress plugins and themes to compromise websites. It employs a method called Traffic Direction System (TD) to redirect users based on their location and device. The malware ensures that attackers are compensated for each redirection through specific networks. DollyWay is designed to avoid detection. It only redirects users after they click on something, preventing passive security scans from spotting it. Logged-in users, bots, and direct visitors are also exempt from redirection, making the malware more persistent. Initially, researchers thought the attacks were from different groups. However, they later found that these incidents share similar code patterns and strategies, suggesting they are linked to a single sophisticated threat actor. They named the operation based on a specific string found in some versions of the malware.