Trackstatisticsss.com
Trackstatisticsss.com is a domain that was involved in a large-scale attack against WordPress websites that were using add-ons prone to exploitation recently. The attack was first spotted at the end of April 2020, and the researchers observing the campaign realized quickly that the attack's scale keeps increasing with each passing day exponentially. Estimates are that over a million websites might be vulnerable to the particular exploitation method the hackers use, and it is very likely that tens of thousands of websites have already been compromised.
Trackstatisticsss.com is Used to Plant Web Shells on Vulnerable WordPress Sites
Some of the vulnerable add-ons targeted in the attack are Easy2Map, Blog Designer, WP GDPR Compliance and Total Donations; keep in mind that this only applies to outdated versions of these add-ons, and there is nothing you need to be worried about if you have already updated to their latest versions. If you are a WordPress site administrator, we suggest that you update your theme, add-ons, and WordPress version regularly to stay safe against hacker attacks. All of the attacks were carried out via either an XSS vulnerability that enabled the attacker to hijack a WordPress administrator's session or by interacting with a vulnerable add-on that could apply arbitrary changes to the site's configuration.
It is not clear how the hackers are looking for vulnerable sites and their administrators, but their ultimate goal is to trick the site's administrator into loading a threatening piece of JavaScript that often may be obfuscated. The script checks the user's cookies for the presence of an administrator session/cookie, and then determines what to do next:
If the victim is logged in as an administrator, the script will attempt to hijack the session and insert a harmful PHP backdoor in the default WordPress theme. If the victim is not logged in, the script will redirect them to a 3rd-party URL used for malvertising.
A Large-Scale Attack may Have Compromised over a Hundred Thousand WordPress Sites
The PHP backdoor that the attackers use is found on the page 'ws.stivenfernando.com/stm.js' – although it is a JavaScript file, the script will convert it to PHP prior to executing it. The backdoor will then fetch another payload that is hosted on Trackstatisticsss.com and, more specifically, on the URL 'stat.trackstatisticsss.com/n.txt.' This file appears to be empty at the time, so this payload is inactive. However, the hackers can change the contents of the 'n.txt' file at any time to deliver a threatening Web shell to the compromised sites.
If you notice the presence of the Trackstatisticsss.com URL in one of your WordPress pages, then you should check the WordPress installation for any threatening indicators immediately. You also should make sure to apply the latest updates to the core website files, and all WordPress add-ons you use.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.