Feeds

Mass WordPress hijack poisons Google Image well

Mystery doorway planted in 4000+ sites

Protecting users from Firesheep and other Sidejacking attacks with SSL

Hackers are abusing thousands of independent WordPress sites to litter Google Image search results with code that redirects users to servers that attempt to infect them with malware.

According to a report posted Friday, Russian researcher Denis Sinegubko identified 4,358 WordPress blogs that combined popular images from other sites with so-called doorway pages that redirected visitors to a series of malicious sites. The site at the end of the line displayed misleading graphics designed to trick users into installing fake security software by convincing them their machines have already been infected by malware and urgently need to be cleaned.

“The doorway pages rank quite well for some keywords both in Google web search and Google Images search (especially when you are searching for exact phrases),” Sinegubko wrote. “However the malicious redirects occur only when you click on Google Images search results, which proves that Google Images poisoning is the main goal of this black-hat SEO campaign.”

As of Friday, Google was flagging less than 5 percent of the compromised WordPress sites as harmful to its users, Sinegubko said. On Monday, The Register asked Google representatives if additional websites have been added to its list. This article will be updated if they respond.

It remains a mystery how the sites are being compromised. Many are running up-to-date versions of WordPress. What's more, the compromise affects sites on a variety of webhosts, and not all WordPress sites on affected hosts contain the toxic links. All of that would seem to rule out server-wide attacks, compromises based on stolen site credentials, or an exploit of a compromise in WordPress itself.

Sinegubko speculated that the compromise is the result of backdoor code previously installed on the affected websites. One possible way a backdoor could have gotten there is a recently discovered defect in a popular WordPress extension known as TimThumb that allows attackers to upload and execute malicious code on websites that use it.

Sinegubko advised webmasters of compromised sites to look for rogue rules in the .htaccess files in the site root and above the site root directory. So far, he hasn't found an operator of one of the infected WordPress sites who will cooperate in his investigation. Those with information may contact him directly. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.