New Wave of SocGholish cid=27x Injections
On November 15th, Ben Martin reported a new type of WordPress infection resulting in the injection of SocGholish scripts into web pages. The attack loads zipped malicious templates from WordPress theme and fake plugins files before extracting the SocGholish script, which is saved as an encrypted value inside the wp_option table of the WordPress database. One of its distinguishing features is the cid=272 parameter included in the SocGholish URLs.
During the past two weeks, cid=272 has quickly become the second most prevalent variation of SocGholish infection (after NDSW/NDSX) with 100+ detections per day on average.