There has been an increase in the number of malware victims, such as WordPress sites that suddenly send you to another site with a certain probability when you click on a link, the link does not work, or a new window opens and an advertisement appears.
We will explain this type of malware called clickjacking.


A type of malware ClickJack

This type of malware hijacks link clicks and sends the user to another site at a certain rate when the link is clicked, disables the link by making the user press a transparent overlaid video play button or SNS like button, opens a new window or tab, and displays ads for game sites, virus removal software, etc. Ads for game sites, antivirus software, etc. will be displayed.

Hijacking a site’s links is called clickjacking.

If this symptom only occurs with a certain probability (rare), a temporary storage mechanism called a cookie in the user’s browser is used to prevent it from being triggered for a certain period of time.

Also, clickjack cannot be realized without embedding a browser processing program called JAVASCRIPT somewhere in the site, which means that the site has been infiltrated and tampered with.

Characteristics of Malware Code

The JAVASCRIPT code is embedded so that it is executed from the site’s header.php, index.php, and other files that must be executed.

Example of code to hijack a link click event

jQuey(document).on("click", "a", function())

Example of code that illegally embeds a Facebook Like in a transparent Iframe

<style>
iframe {
opacity: 0; ← Iframe is made transparent.
}
</style>
<iframe src="facebook.html"></iframe>← Illegally embedded Iframe.

Detection and Removal

Free WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].
and other malware search plug-ins may be able to detect where the malware is embedded.

Also, since this type of malware often runs on all pages, check for malicious embedded code anywhere in the theme file that runs on all web pages.

The following are examples of commonly tampered theme files.

header.php
footer.php
single.php
singler.php
page.php
index.php
functions.php

Related Posts:

  1. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  2. What is Japanese SEO Spam, a type of WordPress malware?
    We will explain about Japanese SEO Spam, which is a malware that embeds fake Japanese product sites in WordPress....
  3. If WordPress may be infected with malware (virus or tampering), use the plugin for quick malware inspection and removal.
    When WordPress may be infected with malware (virus or tampering), you can easily use a plugin to inspect and remove malware. The following is a list of the main types of malware behavior on websites and malware scanning and disinfection plug-ins....
  4. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  5. WordPress site defacement hacking for SEO purposes. what is SEO spam?
    The most common type of WordPress tampering these days is the hacking of WordPress sites for SEO purposes. We will explain this SEO spam....
  6. WordPress, dealing with spam indexing, where pages you don’t remember creating get caught in search results.
    We will explain how to deal with spam indexing, a common symptom of recent WordPress tampering, in which pages that you do not remember creating are caught in the search results....