Crooks have been hacking websites to deliver fake software update notices to more than 100,000 web users in an attempt to trick them into downloading malware that could take over their PCs.
The hacking campaign has two variations, according to tech security company Zscaler, which has been tracking it. In the first version, the crooks hack into insecure WordPress sites using the theme plugin vulnerability and inject malicious redirect scripts into the compromised site. This allows them to display a fake Flash Player update alert to the user over the compromised site, which aims to trick website visitors into starting a software update.
Once the user clicks the 'Update' button, the script downloads the malicious file. Even if the user clicks the 'Later' button, the redirect still occurs, taking the user to the same page to download the malicious file.
If installed, the Remote Access Trojan (RAT) malware will send the victim's information in an encrypted format to the attacker's site, allowing remote access to the victim's PC.
"After successful installation, it will send the acknowledgement to the attacker with the details of the infected machine. Since the installed malware is a RAT, the attacker can connect to the installed client and then perform the activities supported by the RAT including file downloads/uploads and execution," Zscaler told ZDNet.
The attackers have been tracking the visitor count to the compromised websites, Zscaler said, and so far 113,000 unique users have been served up by the fake update pages. Zscaler's ThreatLabZ team said it had blocked more than 40,000 malicious attacks related to this campaign in the past three months.
A variation on the attack happens when a web user visits one of the compromised sites using the Chrome web browser. In this case, the user will receive an alert that the 'PT Sans' font wasn't found, and again asks them to update.
Updating the vulnerable content management systems running websites will stop the crooks from launching the attacks. "Therefore, it is critically important for companies to protect this public face from an attack that could put your business, employees, and your customers at risk," Zscaler said.