Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
  • Go

Hijacked WordPress, Joomla Websites Install Scareware: SANS ISC

According to a warning by SANS Internet Storm Center, numerous WordPress and Joomla websites are in the state of compromise after cyber-criminals have manipulated them for serving scareware, i.e. phony anti-virus, onto visitors' computers, published softpedia.com in news on December 12, 2012.

Offering his remark about the attack, John Bambenek, ISC Handler stated that the surprising aspect about it was that the campaign did not appear as a scanner abusing certain security flaw rather it was a tool, which was primarily thrusting WordPress as well as Joomla exploits, through one available server in anticipation that something would turn out successful. Threatpost.com published this in news on December 12, 2012.

Reportedly, the campaign has been investigated at Germany's CERT-Bund where security researchers discovered an act of iFrame injections inside the compromised websites for diverting visitors onto an attack toolkit through the Sutra Traffic Distribution System.

Moreover, Security Expert Thomas Hungenberg with CERT-Bund who conducted an analysis of the campaign said that the initial contaminations possibly happened because of any malicious automated script, which abused familiar security flaws within the much visited Content Editor of Joomla, thus published h-online.com in news dated December 12, 2012.

In the meantime, one web-link in German language from a blog presenting Joomla Downloads describes the script as inserting a GIF document disguised PHP code inside the server. Attackers remotely summon and run this code, which's certain PHP shell being subsequently utilized for contaminating JavaScript files namely /media/system/js/caption.js and /media/system/js/mootools.js via freshly constructed iFrames over routine intervals.

Apparently, the cyber-criminals are exploiting the development by employing what's called Traffic Redistribution Mechanisms, which perform two-way trade of Web-traffic as well as fake AVs, so end-users can be made to purchase pro-versions that transform the compromised online systems into money generating devices. The strategies are not only functional but also popular business models being used within the illicit cyber-market.

Hence it is advisable that Web-masters ensure they have the Content Editor up to date, while end-users who think they may've been victimized with the above sinister campaign should scrutinize their JavaScripts in case there are any dubious iFrames inside them.

Related article: Hospital Pulled Out Its Spam Using SAV

» SPAMfighter News - 19-12-2012

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next