Almost 30,000 WordPress blogs have been infected in a new wave of attacks orchestrated by a cybercriminal gang whose primary goal is to distribute rogue antivirus software, researchers from security firm Websense said in a blog post on Monday.
The attacks have resulted in over 200,000 infected pages that redirect users to websites displaying fake antivirus scans. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said.
Fake antivirus scan pages are nothing new. In fact, a couple of years ago this type of social engineering was one of the primary methods of distributing scareware to Internet users.
However, many cybercriminals gangs have since switched to drive-by download attacks that exploit vulnerabilities in outdated browser plug-ins to automatically download and install their rogue software.
The large number of infected Web pages seen in this campaign is an indication that these scams still work, said Elad Sharf, senior security researcher at Websense Labs. "Vulnerable websites are a rich source of opportunity for cybercriminals."
More than 85 percent of the compromised sites were located in the U.S., but their visitors were geographically dispersed. "The attack may be specific to the U.S. but everyone is at risk when visiting these compromised pages," Sharf said.
Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks, said David Dede, a security researcher with website integrity monitoring firm Sucuri Security. "It seems the attackers are trying everything lately."
Sucuri researchers have also been tracking this scareware distribution campaign and found that a rogue WordPress plug-in called ToolsPack has been installed on many of the compromised blogs. The plug-in masquerades as a collection of WordPress administration tools, but in reality it contains a backdoor that attackers use to maintain their unauthorized access to the affected sites, Dede said.
"My advice to webmasters is to always make sure their WordPress (and all plug-ins) are updated and that they use strong passwords," the Sucuri security researcher said. "That by itself will go a long way to protect their sites."