A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago.
Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system.
When this data is fed into the browser visiting the hacked site, it attempts to log into the targeted user account using the candidate passwords.
Roughly 0.5 percent of cases returned a 200 response code, leaving open the possibility that password guesses may have been successful.
As Sinegubko notes, the more recent campaign is significant because it leverages the computers and Internet connections of unwitting visitors who have done nothing wrong.
NoScript breaks enough sites that it’s not suitable for less experienced users, and even those with more experience often find the hassle isn’t worth the benefit.
The original article contains 609 words, the summary contains 148 words. Saved 76%. I’m a bot and I’m open source!