Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday.
The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday, Daniel Cid, CTO of security firm Sucuri, said in a blog post. The hijacked sites are being used to redirect visitors to a server hosting attack code made available through the Nuclear exploit kit, which is sold on the black market. The server tries a variety of different exploits depending on the operating system and available apps used by the visitor.
"If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can," Cid wrote. "What’s the easiest way to reach out to endpoints? Websites, of course."
On Thursday, Sucuri detected thousands of compromised sites, 95 percent of which are running on WordPress. Company researchers have not yet determined how the sites are being hacked, but they suspect it involves vulnerabilities in WordPress plugins. Already, 17 percent of the hacked sites have been blacklisted by a Google service that warns users before they visit booby-trapped properties. Interestingly, Cid added, the attackers have managed to compromise security provider Coverity and are using it as part of the malicious redirection mechanism. The image above shows the sequence of events as viewed from the network level using a debugging tool.
Sucuri has dubbed the campaign "VisitorTracker," because one of the function names used in a malicious JavaScript file is visitorTracker_isMob(). Cid didn't identify any of the compromised sites. Administrators can use this Sucuri scanning tool to check if their site is affected by this ongoing campaign.
(Score: 3, Interesting) by ikanreed on Friday September 18 2015, @02:43PM
Remember when no one could make money by delivering viruses? When it was mostly the realm of new coders wanting to show off and troll people?
The whole industrialization of it makes me long for a simpler time.
(Score: 4, Funny) by Anne Nonymous on Friday September 18 2015, @02:45PM
I think the Wordpress virus causes massive margins on either side of the screen and a little stripe of content down the middle.
(Score: 0) by Anonymous Coward on Friday September 18 2015, @08:50PM
massive margins on either side of the screen and a little stripe of content down the middle
I have run into that on a (WordPress) site that I visit regularly. [fossforce.com]
Next time you encounter this, add the adblock filter ##widget and see if that doesn't improve things.
CAVEAT
There is another site [ocweekly.com] I visit from time to time (built by a complete moron). [w3.org]
That site has a completely different use of that meme, so I need to temporarily change that filter to @@@@@@@@@@@@##widget to see the content.
(There was once a guy who constructed a page where he used widget to indicate the location of his main page content and a bunch of folks even more clueless than he is have used his work as a boilerplate for their pages.)
.
View; Use Style; No Style in browsers that are descended from the Mozilla Suite is another useful trick.
-- gewg_
(Score: 1, Insightful) by Anonymous Coward on Friday September 18 2015, @03:07PM
Most websites used to be dumb or inane, but relatively harmless. These days, most websites are clickbait sites serving out malware ads and javascripts. Ad block and noscript are basic necessity.
(Score: 1, Offtopic) by WizardFusion on Friday September 18 2015, @04:18PM
My site is clean and ad free, but I don't get many page views - not that that matters to me. It's for me own enjoyment, I make no money from it, nor want to, it's just a side hobby.
http://myrandomthoughts.co.uk/ [myrandomthoughts.co.uk] if anyone is interested, its mostly about my home-lab and PowerShell stuff
(Score: 2) by darkfeline on Saturday September 19 2015, @12:27AM
Is this the self-plug thread? Here's mine: http://www.felesatra.moe/ [felesatra.moe]
It's more a personal experiment site than a website per se, but I'm proud of how little HTML and CSS my pages use.
Warning: uses Google Analytics. Set your blocker if you care about that.
Join the SDF Public Access UNIX System today!
(Score: 2) by MichaelDavidCrawford on Friday September 18 2015, @06:22PM
While this doesn't exactly make your site more secure it does defend it from purely-automated attacks.
Change all the file and directory names that your wordpress installation uses. Use different names for each installation if you use more than one.
Slashdot Media [slashdotmedia.com] uses WordPress - NOT Slash! - as can by evidence by this URL not yielding a 404:
http://www.slashdotmedia.com/wp-content/ [slashdotmedia.com]
One way Dice Holdings could keep a lid on the script kiddies would be to change that directory name to:
http://www.slashdotmedia.com/fuck-beta/ [slashdotmedia.com]
Also change the names of all your subroutines, your MySQL database name as well as the names of its tables and columns.
While tedious it would be straightforward to write a script that changes all these names, perhaps by randomly selecting entries from /usr/share/dict/words.
I'll send you my bill in the mail.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Friday September 18 2015, @08:00PM
Or don't be a dumbass by using trash like WordPress.
(Score: 2) by MichaelDavidCrawford on Friday September 18 2015, @08:05PM
but my clients do.
That is, if you get my drift.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Saturday September 19 2015, @10:17AM
So, since there is no mention, but I assume that this vulnerability only affects people stupid enough to be running windows? I helps to lessen the overall panic if the submitter were to offer such information. Maybe even if it only impacted (careful word selection, there) Apple users, or only Left Handed Persons who usually only stand on One Foot at a Time. Such things would be useful to know. You do not expect all us non-windows users to actually read the article just to find out that it is meaningless panic copy that only affects people stupid enough to still be running windows, do you? Well, I would hope not. Now, carry on, and give us the pertinent information. If you do not, I will send you an email cleverly disguised as an autoplay CDRom, and it will make you realize why you are stupid to be running Windows.