Hijacked WordPress, Joomla Websites Install Scareware: SANS ISC

According to a warning by SANS Internet Storm Center, numerous WordPress and Joomla websites are in the state of compromise after cyber-criminals have manipulated them for serving scareware, i.e. phony anti-virus, onto visitors' computers, published softpedia.com in news on December 12, 2012.

Offering his remark about the attack, John Bambenek, ISC Handler stated that the surprising aspect about it was that the campaign did not appear as a scanner abusing certain security flaw rather it was a tool, which was primarily thrusting WordPress as well as Joomla exploits, through one available server in anticipation that something would turn out successful. Threatpost.com published this in news on December 12, 2012.

Reportedly, the campaign has been investigated at Germany's CERT-Bund where security researchers discovered an act of iFrame injections inside the compromised websites for diverting visitors onto an attack toolkit through the Sutra Traffic Distribution System.

Moreover, Security Expert Thomas Hungenberg with CERT-Bund who conducted an analysis of the campaign said that the initial contaminations possibly happened because of any malicious automated script, which abused familiar security flaws within the much visited Content Editor of Joomla, thus published h-online.com in news dated December 12, 2012.

In the meantime, one web-link in German language from a blog presenting Joomla Downloads describes the script as inserting a GIF document disguised PHP code inside the server. Attackers remotely summon and run this code, which's certain PHP shell being subsequently utilized for contaminating JavaScript files namely /media/system/js/caption.js and /media/system/js/mootools.js via freshly constructed iFrames over routine intervals.

Apparently, the cyber-criminals are exploiting the development by employing what's called Traffic Redistribution Mechanisms, which perform two-way trade of Web-traffic as well as fake AVs, so end-users can be made to purchase pro-versions that transform the compromised online systems into money generating devices. The strategies are not only functional but also popular business models being used within the illicit cyber-market.

Hence it is advisable that Web-masters ensure they have the Content Editor up to date, while end-users who think they may've been victimized with the above sinister campaign should scrutinize their JavaScripts in case there are any dubious iFrames inside them.

Related article: Hospital Pulled Out Its Spam Using SAV

» SPAMfighter News - 12/19/2012