Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • Check Point: Hackers use over 10,000 hacked WordPress sites to launch malvertising campaign
  • Malware

Check Point: Hackers use over 10,000 hacked WordPress sites to launch malvertising campaign

Do Son August 6, 2018 3 minutes read
Add Daily CyberSecurity as a preferred source on Google

Recently, network security company Check Point disclosed a massive malicious advertising attack. The attacker hijacks user traffic to gain black benefits by buying a website ad slot in a legal coat.

Researchers speculate that these unidentified ad slots have joined the legitimate online advertising platform to ensure proper access to their target customers – major online criminal gangs that hijack victims’ network traffic, redirects Go to the crooks website or use tools to push malware such as ransomware, online banking Trojans or mining plugins.

Check Point said in the report that Master134 is the black hand behind this malicious attack. The gang has invaded more than 10,000 websites based on WordPress CMS 4.7.1. After taking over the site, it opened its website advertising space and released it in real-time. Auction advertising platform AdsTerra.These ad slots flow to major online criminal gangs through ad resellers such as AdKernel, AdventureFeeds, EvoLeads, and ExoClick.

 

After purchasing these ad slots, the attacker exploits unpatched vulnerabilities in the user’s browser or related plug-ins (such as Adobe’s Flash Player) to run malicious JavaScript code, and users who click on these malicious ads will be attacked. An attacker can even locate a user based on a less secure operating system, browser, or a specific type of device.

The advertising content that is ultimately pushed to the user depends on the user’s identity, location, type of device used, etc., and the online advertising field still lacks the necessary verification technology. It is difficult for the industry to thoroughly review each ad to avoid the distribution of malicious content.

This is very popular for online criminal gangs, because they can not only buy “advanced” advertising space on legitimate online advertising platforms, but also illegal income can be washed through the payment system. They even compare the proceeds of the attack with the advertising expenditure to measure the rate of return.

Researchers at Check Point said third-party ad publishing platforms and resellers might be aware of these situations, but still choose to help parties in the black interest chain complete the transaction.

According to the security company’s findings, the attacker is likely to pay the Master 134 directly, and Master 134 pays the online advertising system for the cost of the redirect or even the source of the fuzzy traffic. The third-party platform used by an attacker to purchase a website ad slot is legal, so an attacker can use the platform to precisely control the user’s traffic.

Such malicious advertisements are still hanging on a large number of websites, and about 40,000 users are even attacked and infected every week.

Via: theregister 

Related coverage

  • Highly Evasive NuGet Supply Chain Attack Hijacks 65,000 .NET Build Servers
  • Fake AI Assistant: Malicious “ClawdBot” Extension Hides Trojan in VS Code
  • Ignoble Scorpius Strikes Again: The Rise of BlackSuit Ransomware
  • Hidden Skimmers, Web Whispers: New JavaScript Theft Tricks
  • Microsoft Exposes Malicious Typosquat Cluster Targeting Cloud Environments
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: hacked WordPress sites

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.