Researchers reveal that some compromised WordPress sites are unwittingly spreading potentially unwanted applications (PUAs), as well as spyware.
The spyware and PUAs are being sent to users through fraudulent browser plugins and bogus Flash update messages. The hacked WordPress sites basically redirect users to Uniform Resource Locators (URLs) that are infested with spyware.
The covert campaign was discovered by researchers at Zscaler who revealed that this campaign has been in place since first week of August. The spyware and PUAs have affected more than 20,000 users and have been sent to over 2,000 WordPress websites.
The research team also divulges that majority of the infected sites run the current version 4.3.1 of WordPress CMS. However, it is believed that the sites may have been compromised before being updated to the latest version.
The attacks were also corroborated by users on the WordPress support forum as well as Conrad Longmore of Dynamoo’s blog.
“We’ve recently been dealing with several virus attacks. I encountered a virus that did not show up in the Wordfence scan, nor searching for it on Google or any other virus scans performed by myself or BlueHost,” noted a user on the WordPress forum.
“I’ve been seeing some injection attacks since last week utilising hosting services of VPS Hosting in Latvia. These are continuing today,” revealed Longmore in a blog post.
So how does the malware begin the infection cycle?
The code contains an iframe which gives information of the hacker’s server location. According to Zscaler, the hackers are gathering data such as a user’s version of Adobe Flash Player, their time zone and system timestamp.
How is this potentially threatening?
Once an attacker has data on the user’s system, they send them several quick redirects in succession to a web page. Here, for the most bit, the user is asked to make an update to their Adobe Flash Player or install the same, which is basically a spyware in disguise.
If users take the bait, then the attackers will deliver an .exe file to their system which will install a modified Win32.InstallCore PUA.
Once the user installs this PUA they will be redirected to the authentic Adobe site. There, the user is informed that the installation of the Flash Player has failed. Consequently, the user is asked to try to reinstall, but from the genuine source this time round.
In some instances, one may also be asked by the attackers to install fraudulent browser add-ons and not the Adobe Flash Player.
While these are minute-level adware PUAs and spywares, they are still dangerous as they can serve as potential gateways by hackers for injecting severe malwares on an infected machine.
The researchers reveal that an IPS address (126.96.36.199), which belongs to a Latvia-based VPS hosting service, is behind the attacks.