Security researchers at GoDaddy have uncovered a massive malware operation dubbed "DollyWay World Domination" that has infected over 20,000 WordPress websites globally since 2016.
The sophisticated campaign, now in its third version, redirects unsuspecting visitors to fraudulent dating, gambling, cryptocurrency, and sweepstakes websites. Earlier versions of DollyWay focused on distributing ransomware and banking trojans.
According to researchers, the operation currently generates approximately 10 million impressions monthly, providing substantial revenue for the attackers through malicious redirects.
The cybercriminals behind DollyWay exploit vulnerabilities in WordPress plugins and themes to compromise websites. They employ an advanced Traffic Direction System to filter and redirect users based on specific criteria like location, device type, and traffic source.
To avoid detection, the malware only activates redirects when users click on website elements. It specifically avoids redirecting WordPress administrators, automated bots, and direct visitors without referrers. The attackers utilize VexTrio and LosPollos networks to monetize the redirected traffic.
The campaign shows remarkable persistence, with websites becoming reinfected with every page load. GoDaddy researchers initially believed they were tracking multiple separate operations before discovering common infrastructure and code patterns linking back to a single sophisticated threat actor.
The malware's name comes from a revealing code string found in some variants: "define('DOLLY_WAY', 'World Domination')."
For website owners, removing DollyWay presents particular challenges due to its ability to hide malicious code and admin users while maintaining persistent reinfection capabilities.