Monday, January 30, 2012

Spammers Use Compromised WordPress Sites to Expose Users to Phoenix Exploit Kit

WordPressResearchers at both M86 and WebSense have been tracking a malicious spam campaign involving hundreds of compromised WordPress sites that direct unsuspecting users to the Phoenix Exploit Kit.

Initially discovered by Websense, the attack starts out by the victim receiving a spam email similar to this one:

Need your help spam message

Screenshot Credit: Websense

Subject: Need your help!

Hello! Look, I’ve receive an unfamiliar bill, have you ordered anything?
Here is the bill

Please reply as soon as possible, because the amount is large and they demand the payment urgently.

The link within the spam message will take the user to a specific page that the attacker has uploaded on the compromised WordPress website.

Interestingly enough, the malicious page placed by the attacker is located within the “/wp-content/” directory of the WordPress website and is only accessible via direct link. Therefore, users that visit the remainder of the website will not be exposed to the Phoenix Exploit Kit; only users that access this page will be affected.

According to the M86 analysis, “the general motivation of the attackers to compromise websites is mainly to bypass URL reputation mechanisms, spam filters and certain security policies” and use spam in order to direct traffic to the page.

Both examples of pages uploaded by the attackers on the WordPress sites show an obfuscated block of code that, when translated, reveals an iframe leading to the Phoenix Exploit Kit hosted on a Russian domain.

The kit will attempt to exploit multiple vulnerabilities in IE, Adobe PDF, Flash and Java in order to install malware, which Websense identified as a variant of Cridex.B, onto the victim’s PC.

Oddly enough, Chrome users are exempt from the dangers of falling for this trap. An analysis of the Phoenix Exploit Kit code by M86 researchers found that the cybercrooks explicitly excluded the Google Chrome browser from the attack for no apparent reason.

There’s no word on how the attackers managed to plant the malicious pages on the WordPress sites; however, it appears that the affected sites were all running WordPress version 3.2.1.

To stay safe, users are encouraged to keep their computers fully patched and protected with up-to-date antivirus software. As always, it's recommended that users avoid clicking links or downloading file attachments in emails from unknown sources.

Webmasters are strongly advised to make sure they’re running the most recent version of WordPress and use strong FTP/admin credentials to minimize the chances of their sites being compromised by a hacker.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment