Malicious Scripts Injected in Genuine Websites Seeing a Growth - Heimdal

Infosecurity-magazine.com reported on 4th September, 2015 quoting a recently released study by the security firm Heimdal Security as "The web is witnessing a surge in malicious scripts injected into genuine websites."

Heimdal Security noted that the attack has been conducted by systemically compromising websites that run an obsolete content management system (CMS) especially WordPress sites without patch or old plugins.

Heimdal says that WordPress is employed by 58.7% of all the sites whose content management system is known to them which is 24.3% of all websites. As there are around one billion websites in the world, it is estimated that more than 142 million websites might be potentially compromised. Moreover, more than 20% of WordPress supported websites run an obsolete version.

Infosecurity-magazine.com published a report on 4th September, 2015 quoting researchers as saying "Even websites which run the latest WordPress version could be open to such attack if they run obsolete plug-ins and require proper security settings. The number of prospective ransomware victims might be alarmingly high and as the attack is not only directed towards websites based on WordPress, the blow could be even more."

These scripts would redirect users to Web domains where instances of the Neutrino exploit kit were hosted.

Heimdal investigated and found that thedancingbutterfly.com domain was used to store the malicious injected scripts which would then redirect users to nkzppqzzzumhoap.ml where the exploit kit was hosted.

The last domain is hosted in the Netherlands on the servers of a Web hosting organization which is known to have hosted other same malicious campaigns before.

When the Teslacrypt ransomware installed on the user's computer, it does that a ransomware does best locking the user out of numerous files and then leaving a .txt and .html file on the desktop of the user, explaining the steps needed to take to get access back to the files.

In some cases, researchers also observed that the ransomware encrypts files and also downloads a Pony-based infostealer from the light-tech.pl domain.

Scmagazine.com published news on 4th September, 2015 quoting Andra Zaharia, a Marketing Specialist with Heimdal, as saying "We have already spotted 24 websites in Denmark which deliver the payload through the malicious script injection."

» SPAMfighter News - 9/18/2015