September 30, 2016

Hacked WordPress Sites Infecting Visitors with Malware

(LiveHacking.Com) – A variety of different blogs (here, here and here) are reporting that  hundreds of WordPress websites have been compromised and altered to redirects users to pages that infect a PC using the Phoenix Exploit Kit. The hack works when the attackers upload a HTML page to the standard WordPress uploads folder, however since the uploads folder is not part of the normal web site and isn’t included in the normal navigation then accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine.

However in an attempt to get users to view the uploaded malcious HTML page, the hackers have started several large spam campaigns which include embedded URL links or HTML attachments that trick users into visiting the infected web pages. These fake emails come from well known organizations like the Better Business Bureau or LinkedIn and urge recipients to open the attachment with Internet Explorer or Mozilla Firefox. The exploit kit targets vulnerabilities cited in CVE-2010-0188 and CVE-2010-1885.

After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The Trojan goes by the following names: Cridex, Carberp and Dapato. Unfortunately antivirus detection is low and only 10 out of 43 antivirus scanners able to detect it.

According to h-online.com, eight people have been arrested in Moscow on suspicion of having used Carberp to make $4.3 million. The trojan works by intercepting users’ banking data and transferring it to a command & control server. The Russian intelligence service, FSB, arrested the men in a joint operation with Russian security firm Group-IB and the Russian Interior Ministry, MVD.