A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.

The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.

What's more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registered a few days prior to their use in attacks.

"One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc.," security researcher Ben Martin said. "If the referrer does not match to these major sites, then the malware will not execute."

"Many of the injections are found inside WordPress custom HTML widgets that the attackers add to compromised websites," Martin said. "Quite often, the attackers install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin."

This approach of not placing any malicious code into server files allows the malware to stay undetected for extended periods of time, Sucuri said.