TrafficTrade Infection Spreading – How to Protect Yourself and Detect TrafficTrade
How TrafficTrade infects your website
So far the Wordfence Security Services Team has seen two infection vectors (methods of infection). The first is websites that are infected because they left the searchreplacedb2.php script lying around. This is a relatively uncommon infection vector. We wrote about this risk a few weeks ago.
The second vector is by far the most common. The attackers are exploiting a vulnerability in the WordPress ‘Newspaper’ theme. This vulnerability allows them to inject malicious code into the WordPress ‘wp_options’ table which then redirects your traffic to malicious websites or ad campaigns. Our Security Services Team has seen several other themes that are based on the Newspaper WordPress theme that suffer from the same vulnerability.
Wordfence released a Premium firewall rule about 40 days ago which prevents these attackers from exploiting the Newspaper theme. Even if you had a vulnerable theme, you would have been protected. About 10 days ago, that rule became available to our free customers too.
The chart below shows how attacks on the Newspaper theme have completely dominated the distribution. Attacks on searchreplacedb2.php have only been 4% of total attacks over the past few weeks.
How The TrafficTrade.life Attack Campaign has Ramped Up
The traffictrade.life domain was registered on July 3rd, a little over 1 month ago. It is protected by WhoisGuard, a Panamanian company that provides domain registration anonymity services.
We started seeing attacks that were attempting to drop malware with a malicious redirect hosted at traffictrade.life starting on July 10th. The total number of attacks per day have ranged from just 1 per day up to as many as 630. Then things really took off in the past week as you can see from the chart below. We started seeing up to 15,000 attacks per day attempting to drop the traffictrade.life malicious redirect.
Even Google Trends is showing an increase in search volume for the phrase ‘traffictrade’ towards the end of July as attacks ramped up and affected webmasters started searching Google for help:
What to Do To Protect Yourself
As always we recommend running Wordfence Premium. In this case, our Premium customers have been protected for over 40 days from TrafficTrade by a Premium firewall rule that was deployed by our team in real-time.
The firewall rule became available to our free community users about 10 days ago. Both Wordfence free and Premium are now protecting your sites from these attacks.
Because this infection is so wide-spread, we have released additional detection in the Wordfence malware scan to detect a newer variant of TrafficTrade. We are seeing attackers modify your wp_options table to inject the malicious code into that table. A Wordfence scan will now detect this.
This new feature is immediately available for free and Premium Wordfence customers with Wordfence version 6.3.16 which was released this morning. Simply install Wordfence or update to 6.3.16 and run a scan.
What TrafficTrade Malware Does On Your Site
It redirects your visitors to a ‘trafficreceiver’ domain which then does further redirects to whichever campaign they are running. In the case of my test, you are redirected to a site that wants you to install a Chrome plugin – most likely malicious.
Where The Attacks Are Coming From
The majority of attacks that we have intercepted and that are dropping the TrafficTrade malicious redirect code come from four IPs:
- 126.96.36.199 – 13,698 attacks
- 188.8.131.52 – 11,071 attacks
- 184.108.40.206 – 4,798 attacks
- 220.127.116.11 – 607 attacks
We are seeing attacks originating from several hundred other IPs, but the numbers are very low – ranging from single to double digits. The above IPs are by far the top offenders.
The above IPs belong to UnderNet LLC, based in Kiev in Ukraine. They are part of a block of 2048 IP addresses in the range 18.104.22.168 – 22.214.171.124.
UnderNet LLC’s website is at under.net.ua. This is a snapshot of their home page:
A Change In Hosting and Tactics on July 31st
The threat actors behind the TrafficTrade campaign were using a well known “bulletproof” hosting company to host traffictrade.life until July 31st. They were based at HostSailor with servers in the Netherlands, which Brian Krebs has written about in depth in August 2016. According to Krebs, HostSailor has a long history of hosting malicious content and services, as does their owner.
On July 31st, the campaign switched their primary domain IP address as they also switched tactics. The IP address that the traffictrade.life domain pointed to, changed from 126.96.36.199 hosted at HostSailor in the Netherlands to 188.8.131.52 which is hosted by “HZ Hosting Ltd”, also known as HostZealot.
The HostZealot website is at www.hostzealot.com and the company is based in Plovdiv in Bulgaria.
On July 31st we also saw a change in tactics. The attackers switched from trying to exploit searchreplacdb2.php to exploiting the Newspaper Theme in WordPress. The number of attacks we saw also ramped up significantly on July 31st when that domain IP change occurred. We saw 15,000 attacks on a single day.
When the attackers switched to HostZealot, they immediately ramped up attacks to 15,000 per day as the graph below shows.
The threat actors behind TrafficTrade may have switched away from HostSailor because it is blacklisted by many security companies and firewalls online, including Wordfence. Switching to a lesser known bulletproof host may have allowed them to bypass some blacklists with their attack campaign.
Spread The Word
The Wordfence team has seen a wide impact from this malware. Many of our site cleaning customers have been hit by this. We have also seen a significant rise in the number of infection attempts during the past few days.
We are not isolated in observing this infection. Dan Fennel wrote about this on July 24th. This is showing up on StackOverflow (July 17th). And we initially covered this on July 25th when we wrote about the risks of searchreplacedb2.php – although at the time we didn’t realize the attack would become so prolific starting July 31st.
To help protect the WordPress and online community, please share this with your friends and colleagues.
Thanks to Brad Haas and Dan Moen for their assistance and contributions to post.
Mark Maunder – Wordfence Founder/CEO.
Can I ask if simply *having* the theme installed is enough for it to be potentially compromised or must you be using the theme itself? Is there reasons to have unused themes in your theme folder?
It looks like the theme needs to be activated because the exploit comes in via the Ajax WP handler. But yes, if you're not using a theme, we strongly recommend you remove it for security reasons. Many vulnerabilities, like timthumb (now a bit old) have been exploitable in themes that are inactive.
Wow, thanks for the detailed overview of the issue. I manage other people's WP websites for them as a freelancer. It's helpful to stay on top of these things. Thanks for doing all the dirty work for me. ;) I have some updates to take care of this morning now...
I've removed the traffictrade.life malware from my site yesterday, it was hidden in Newspaper theme, in theme option - header ad field.
Sounds about right Mircea. Sorry to hear you were hit by this.
Thanks so much for the detailed breakdown of this attack. It really helps us less knowledgeable in cyber warfare make sense of it and strategize for it appropriately.
You're very welcome Emilio.
Hi had the attack about a month ago without using the newspaper theme or searchreplacedb2.php file. They must have other ways in too.
Is there any easy way to clean out the scripts from your database by using phpmyadmin?
Thank you Mark and the entire team. I read and follow all the information you provide.
Very detailed post. Thanks for the wonderful work, even as a free customer. I can't stop recommending Wordfence.
Thanks for this detailed article. I help few peoples who own multiple WP sites. Found this issue on three blogs with the Newspaper theme running. Immediately removed the JS and installed Wordffence on all of them.
These quick and detailed articles are the reason why I love all the emails from Wordfence.
Aren't most people going to say that they are not running the search and replace tool and they are not running the Newspaper theme, so the problem is pretty niche and doesn't affect them?
Maybe the ones who can spread the word most quickly are the authors of the Newspaper theme?
Is it possible that the vulnerability is present in lots of themes?
The vulnerability is present in multiple themes. Unfortunately I don't have a list, but it seems that other themes are either derivatives of the Newspaper theme or similar in some way and are also affected.
A question: when I looked at the link you gave which details this exploit, it shows that the theme vendor was notified on 23 April 2016 and the vendor fixed it on 27 April 2016. This being the case, why are we seeing infections over a year later? Would this be due to people running older versions of the Newspaper theme (i.e. versions before 27 April 2016)? If so, this really highlights the need for people to keep everything updated.
Hi again. I visited the vendor website at http://tagdiv.com/category/newspaper/ and it seems the newest post is from March, last year, a month before the vulnerability was fixed. I don't see any information on the website about the fix or a changelog. Can you point me to something I can point our readers at?
Here's the news post that was relevant:
Mark - in the link you gave in the blog post, I believe it is the 3rd link from the top ( https://www.exploit-db.com/exploits/39894/ ). In that link, they show with code how an exploit could be made. In the comment section of that code, they gave the dates I mentioned in my previous comment. Hopefully that clarifies how I obtained the info I was talking about.
That said, I hadn't checked out the vendor's site yet, so I haven't compared the exploit-db.com info with the changelog info from the vendor.
Anyhow, hopefully that answers your question of where I got the info for my previous comment.
Thanks, yes I was aware that is where you got your data from. But when I visited the vendor site and looked around, the posts regarding the Newspaper theme dated back to March of last year, before the fix was even released. Couldn't find a changelog or anything about a security update. So if anyone has this data I'd appreciate it.
I personally think that there are a lot of hackers that use the un-updated exploited themes in the wild on purpose as click-through sites where they post outrageously fake images and share out on social feeds from the 'clean' site to get the uninformed people that click on everything in their social feeds, because they believe it's safe to do so, which then hijacks that user to the truly infected site. Like I said before, if your site is more than a year outdated, you are asking to be hacked...
The WordPress ‘Newspaper’ theme (v 6.7.1) by TagDiv, which this article mentions as being vulnerable was patched April 2016 and is now on version 8.1. Those that have a legally purchased license for this theme should have download the latest version more than a year ago... Those that don't own their license should purchase one so they can stay updated as it's the responsible thing to do. Wordfence please make sure to note that this is an OLD vulnerability that was patched and the patch date as it's only fair to the developers. Thanks!
OK, will add a note to the post. Thanks.
If you could post a link to a changelog that ways the vulnerability was fixed, that would be helpful. Thanks.
Also just as a side note: Did the vendor charge for the security update or is it available free to existing customers? Were they ever notified they need to update? Any background would be helpful for anyone else using this theme. Thanks.
I own 100+ themes from most of the top developers at Themeforest and regular updates as well as important security updates are sent out and designated as such to licensed owners. All updates are free to those that hold the license.
The change log is at their product page at Themeforest. I added the link a bit ago but it may not have been approved since it takes you to a product page. Just so you know, it's at the bottom of their product page there like most all other themes have it.
I am using the NewsPaper 8 theme and also have the WordFence plugin installed. So my question is, do I have to do anything, or the WF plugin will handle it?
Kindly answer the question as soon as possible.
You're safe. We are blocking the attack with the Newspaper theme rule. Even if you are only using the free version of Wordfence, the Premium rule used to block this attack became free about 11 days ago.
However, I do recommend updating that theme as soon as possible if it is an old version.
You are safe because the theme that was vulnerable was version 6.7.1 and was patched more than a year ago, and you now run version 8+. Also, if you were still on the version from last year, you would be protected by wordfence.
You'd be fine from this exploit even without Wordfence since it was fixed a year ago
Hi WF team.
I have seen strange behavior on WF Real Trafic in one of my fresh installed wordpress websites. Im seeing lots of traffic but for another domain not mine.
I checked that domain and looks same as my website.
I checked if its kind of redirect and got this info:
[pageshot URL removed by moderator]
Is this maybe something connected with traffictrade?
Hi Anty, sorry I had to remove that URL. I don't think that's related.
Hi, I have a clients site that is infected because the previous developer left the searchreplacedb2.php on the server, The site is still running on his hosting so I don't have access to phpmyadmin. Can I use the searchreplacedb2.php to delete the malicious links from the database then get him to delete it? If so what would I put in the search and replace fields?
Ironically, yes you can. The script that got you into trouble is also the script that can fix your site. I can't give you specific instructions on the use of searchreplacedb2 here. I would ask on a support forum for the script if you can find one.
When I mentioned line 14, it's in the file td_config.php, the theme itself is causing it.
Hi. I've got the same problem regarding Newspaper and traffictrade malware. Got infected. The easy way to remove it and protect: Go to "Theme Panel" and then "Ads". The code from traffictrade should be at the "Header Ad". Just remove it. To protect use just follow on top ;) install wordfence