Hundreds of compromised Wordpress and Joomla websites are serving up malware to visitors

Researchers see a spike in compromised domains attempting to deliver malicious payloads including Shade ransomware and phishing links.
Written by Danny Palmer, Senior Writer

Websites built on two of the most popular content management systems used in publishing are being hacked and exploited to deliver ransomware and other malware to visitors.

Cyber criminals are exploiting vulnerabilities in plug-ins, themes and extensions on Wordpress and Joomla sites and using them to serve up Shade ransomware and other malicious content.

Researchers at security company Zscaler have detailed how attackers are using a hidden directory on HTTPS for malicious purposes. This well-known directory is commonly used by website owners to demonstrate ownership of the domain to the certificate authority that scans for code to recognise that the domain is validated.

However, by using exploits to gain access to these hidden pages, attackers can use them to hide malware and other malicious content from website administrators.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Over the past few weeks, researchers have spotted a spike of threats stowed away in the hidden directory, with Shade ransomware – also known as Troldesh – the most common threat deployed in this way.

"The spam emails usually contains link to the HTML redirector page hosted on the compromised site which downloads the malicious zip file. User needs to open the JavaScript file inside the ZIP and this JavaScript file will download the ransomware from the compromised site and execute it," Deepen Desai, VP for security research and operations at Zscaler, told ZDNet.

Over 500 websites have been compromised and thousands of attempts have been made to drop ransomware, phishing links and other malicious content.

Meanwhile, phishing pages are hosted under SSL-validated hidden directories and pop-up in an effort to fool the potential victim into handing over their usernames and passwords.

The compromised Wordpress sites are using versions 4.8.9 to 5.1.1 and tend to be using outdated CMS themes or server-side software which researchers suggest is likely the reason for the compromise.

It's not known who is behind the cyber-criminal campaign, but Zscaler is working to inform the owners of the websites about the attacks. The full list of Indicators of Compromise is available in the analysis of the attack.


Editorial standards