Categories: SecurityWorkspace

Rogue Antivirus Campaign Targets WordPress

A new wave of mass-injections of a fake antivirus campaign that appears to be targeting sites hosted by popular blogging platform WordPress, according to Websense it has detected

The company says that it has been tracking the threat for the last few months and that more than 200,000 web pages have been affected on nearly 30,000 websites

Stop, it’s a trap

The injection uses a three level redirection chain that takes users from compromised sites to a rogue antivirus site that attempts to trick them into downloading and installing a Trojan onto their system. The rogue AV site opens a page that appears to perform a scan on the computer and scares users by saying that it has detected a number of Trojans on their hard drive.

The page looks like a Windows Explorer window, albeit Windows XP, but in reality is simply a pop-up within the web browser. It tells users to download and run a bogus antivirus tool to remove the Trojans, but the fake software is in fact itself a Trojan.

Websense reports that although 85 percent of the compromised sites are located in the US, visitors are more widely dispersed. Rogue antivirus campaigns have long affected users of Windows and last year, Apple was forced to admit the threat of MadDefender scareware and issue instructions on how to avoid it or remove it.

Stop and reboot

“Websites can often get hacked through known security issues where software (the type used to host the site) is not kept up to date,” commented Mark James, technical team leader at ESET UK. Furthermore, compromised servers that have code injected into the website itself at source, again through poor security or “backdoors”, pose a problem.”

“Another security issue that can happen, is people forget to reset/change ‘default’ passwords or administrator logins when they use ‘off the shelf’ or free software,” he added. Often these programmes have secret access keys built in that need to be changed and will thus allow complete access to the system. “

He recommends that if a user is redirected they should, rather sensibly but fairly obviously, stop what they are doing, close the browser either “forcefully or gracefully” before rebooting and running a full antivirus scan.

This new security threat comes almost exactly a year after WordPress was hit by a large Distributed Denial of Service (DDoS) attack that affected connectivity to a number of its hosted blogs. The attack was the largest that the blogging platform had ever seen and was said to have originated from China. It later admitted that the hackers had gained access to multiple servers and stole the source code that powered the blogs of many of its customers.

Are you safe from Trojans? Take our quiz

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Marriott Agrees To Pay $52 Million To Settle Data Breaches

To settle US federal and state claims over multiple data breaches, Marriott International agrees $52…

2 days ago

Tesla Shares Drop After Cybercab Unveiling

Mixed reactions as Elon Musk hypes $30,000 'self driving' robotaxi called Cybercab, as well as…

2 days ago

AMD Launches New AI, Server Chips To Expand Nvidia Challenge

AMD unveils new AI and data centre chips as it seeks to improve challenge to…

3 days ago

Chinese Hackers Breach US Wiretap Systems – Report

AT&T and Verizon among US broadband providers reportedly hacked to target American government wiretapping platform

3 days ago