Hundreds of WordPress Sites Compromised to Serve Phoenix Exploit Kit
The latest malicious campaign begins at the point where cybercriminals compromise a few hundred websites based on WordPress 3.2.1 and alter them to redirect visitors to a domain that serves the malicious Phoenix Exploit Kit.
M86 Security Labs researchers came across around four hundred of these sites.
Using a clever strategy, the masterminds that run this scheme didn’t compromise the sites’ main page, instead they hid a malicious HTML page to the Uploads folder so it wouldn’t be detected to easily.
Since they’re using the compromised sites only to bypass URL reputation mechanisms, spam filters and other security policies, they’re not relying on regular users to visit the infected pages, instead they send out spam emails containing a link to the webpage that serves the exploit kit.
Websense described these emails not long ago, reporting that they’re designed to confuse the recipient and determine him to click on the link without giving it too much thought.
“Hello! Look, I’ve received an unfamiliar bill, have you ordered anything? [LINK] Please reply as soon as possible, because the amount is large and they demand the payment urgently,” reads the malicious message.
Once the link is clicked, the user, that at this stage becomes a victim, is taken to the compromised site redirecting to a Russian domain where the exploit is hosted.
The Phoenix Exploit Kit probes for vulnerabilities in Internet Explorer, Adobe Reader, Flash and Java, these being the applications that users fail to update most often.
An interesting observation made by the experts is that the exploit kit is not designed to target Google Chrome customers. For no obvious reason, the source code is written in a way to make sure that those who utilize Chrome are excluded.
Security solutions providers are keeping close tabs on these malicious elements, but to make sure they’re protected, users are advised never to click on suspicious links that come in suspicious emails.
Using a clever strategy, the masterminds that run this scheme didn’t compromise the sites’ main page, instead they hid a malicious HTML page to the Uploads folder so it wouldn’t be detected to easily.
Since they’re using the compromised sites only to bypass URL reputation mechanisms, spam filters and other security policies, they’re not relying on regular users to visit the infected pages, instead they send out spam emails containing a link to the webpage that serves the exploit kit.
Websense described these emails not long ago, reporting that they’re designed to confuse the recipient and determine him to click on the link without giving it too much thought.
“Hello! Look, I’ve received an unfamiliar bill, have you ordered anything? [LINK] Please reply as soon as possible, because the amount is large and they demand the payment urgently,” reads the malicious message.
Once the link is clicked, the user, that at this stage becomes a victim, is taken to the compromised site redirecting to a Russian domain where the exploit is hosted.
The Phoenix Exploit Kit probes for vulnerabilities in Internet Explorer, Adobe Reader, Flash and Java, these being the applications that users fail to update most often.
An interesting observation made by the experts is that the exploit kit is not designed to target Google Chrome customers. For no obvious reason, the source code is written in a way to make sure that those who utilize Chrome are excluded.
Security solutions providers are keeping close tabs on these malicious elements, but to make sure they’re protected, users are advised never to click on suspicious links that come in suspicious emails.