Tech

Active Wordpress malware campaign compromises thousands of websites

The campaign may only be 15 days old, but thousands of sites are already infected and there are no signs of slowing down.

Written by Charlie Osborne, Contributing Writer Sept. 18, 2015 at 3:32 a.m. PT

A new, active malware campaign has compromised thousands of Wordpress websites in a matter of days, placing visitors at risk.

The new campaign, detected by SucuriLabs, began 15 days ago but the rate of compromised websites has spiked in the last few days, according to the security firm's CTO Daniel Cid.

From the 15th to 17th of this month, the rate of infection has surged from 1,000 compromised websites a day to approximately 6,000 -- and we are yet to see if this uptake slows down.

The hijacked websites are being compromised with the "visitorTracker_isMob" malware which redirects as many visitors as possible to a landing page infected with a Nuclear Exploit Kit. The landing page is constantly changed but contains the same exploit.

The Nuclear Exploit kit is one of the most widely-used exploit delivery methods on the web and contains zero-day exploits for a variety of software.

Featured

Once a user lands on the malicious page, the kit probes the potential victim's system, seeking unpatched vulnerabilities which can be exploited by Nuclear's payloads. If unpatched and outdated software is discovered -- or zero-day vulnerabilities are being exploited -- the victim's machine becomes compromised, potentially leading to surveillance and data theft.

"If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can," the researchers say.

"What's the easiest way to reach out to endpoints? Websites, of course."

The malware campaign, dubbed VisitorTracker due to the function name used in all of the injected javascript files, appears to infect websites through new vulnerabilities within plugins installed on Wordpress. While plugins improve the functionality of Wordpress, this is far from the first time plugins have been targeted as a way to compromise the content management system.

Out of thousands of websites infected through the new campaign, the security researchers say 95 percent of them rely on Wordpress -- and 17 percent of them have already been blacklisted by Google.

Webmasters should make sure their plugins are all up-to-date to prevent exposure and blacklisting by the web's most popular search engine.

SecuriLabs has also provided a scanner for webmasters to check the health of their domains.