I wanted to check the WP homepage of a friend of mine, so I googled "rafaeltheissen be piano".
The first Google result seems to point to the official page: https://rafaeltheissen.com/
Here is the complete link copied from the Google search results: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj5ps6p3ovyAhXauaQKHSkjAvQQFjAAegQIBBAD&url=https%3A%2F%2Frafaeltheissen.com%2Fen%2F&usg=AOvVaw24EO7Ic3rfmCms7XbPcI4J
When I click on it, I am on the website and everything seems fine. But when I click somewhere, the following happens: On Safari, another porn/strange phishing site is opened in the background On Google Chrome, that doesn't seem to work but a blob URL is opened as another tab.
What I can observe before clicking somewhere: In the dev console I constantly see "Console was cleared" by "agregahehhea.js", an incomprehensible js code. Network Source: https://www.thodowaro.com/fbf601/agregahehhea.js
Redirects before the phishing page appears:
https://stevoglutu.com/b.3_Vi0jPk2ll-jnPoXpBqz_Jsmt9u0vP-Ux5yEzRAT_BCNDVEGFc-yHTImJlKR_eMEN5OqPS-TRNSOTaUm_dW4XTY1ZR-JbMcUdpeF_SgkhZiKjR-0lpm5nYoj_JqGras1tl-tvRwnxVya_QA1BFCrDS-kFRGCHaIV_pKELQMTNJ-PPRQ1RESy_TU0VRWNXM-EZ0aybScT_ReZfVgFhp-rjWkllRmN_MolppqtrW-XtduNvewm_xypzWAkBd-JDeEEF1GH_VImJ0KmLc-nNJOpPZQD_1SjTOUTVI-0XOYWZUa0_NcmdQe5fO-DhNimjNkT_Am1nMojpR-lrNsmtFuk_NwWxZyhzY-zBICzDMEG_ZGlHNICJZ-yLcM3NJOj_PQXRNSjTc-mVlWwXdYC_Za2bdcDd0-xfNgjhIi3_NkjlgmxnO-TpIq1rLsW_ZujvNwjxY-wzMATBACx_ZEDFNGlHN-DJkKyLYMj_lOjPZQGRI-4TNUWVEW3_MYWZRalbM-TdJehfMgj_Yi1j?&sseq=2&dseq=2
https://stevoglutu.com/b.3_Va0bPc2dh-0fYgXhRii_PkTlEmmnc-npJqprZsD_1umvZwDxN-lzZAGBUCx_MEWFQG1HM-zJQK0LNMD_NOhPNQjRQ-yTOUWVYW3_NYTZQaxbM-WdJehfMgD_ki5jZkSlZ-ynco3pJqj_PsWthupvc-3xRyvzcAn_lCiDYEWFN-rHJInJNKJ_ZMDN0O0PM-TRQSxTOUD_YW2XJYnZp-vbbcmdVeJ_ZgDh0i0jM-TlQmxnOoD_Yq2r
I really would like to understand what's happening here. Does someone has an explanation for it?
Update: the server seems compromised. If referrer is google->activate malicious js code. Read more here: http://www.axertion.com/tutorials/2013/08/wordpress-redirecting-to-malicious-url-when-referral-is-google-or-another-search-engine/