Feeds

Hackers booby-trap WordPress site with botnet-weaving Trojan

Crooks lure punters in with LinkedIn lies

High performance access to file storage

Malware-flingers are taking advantage of vulnerable WordPress sites as part of an attack ultimately designed to spread an information-stealing botnet agent.

Cybercrooks begin the attack by planting malicious scripts on vulnerable sites. Prospective marks are then lured to compromised sites via spammed messages that purport to come from known legitimate sources including Better Business Bureau and LinkedIn, among others. The crooks use social engineering tactics to entice unsuspecting users to click the link found in the email.

Clicking on links in these spam messages points surfers towards compromised WordPress sites – and not the legitimate sites users might have expected to visit. Redirection scripts on compromised sites expose surfers to a variety of drive-by download attacks that attempt to take advantage of well-known (and already patched) Adobe Reader and Windows flaws to drop malware onto poorly secured Windows PCs.

The attack, which uses the infamous Blackhole Exploit kit, is geared towards spreading the Cridex Trojan, an information-stealing strain of malware. Cridex established a botnet using compromised Windows boxen, as explained in a write-up by Trend Micro.

"This malware intercepts browser requests and changes the displayed content according to the configuration, written by the administrator of the botnet," Trend explains. "This way, cybercriminals can trick users into entering valuable information without raising suspicion. It was also found to generate several random domains using domain generating algorithms (DGA)."

A full write-up of the attack, complete with screenshots of spam samples that have featured in the attack, can be found in a blog post by Trend Micro here.

More on the Cridex Trojan can be found in an earlier blog post by M86 Security here.

Earlier this month, Websense warned that vulnerable WordPress content management systems are being abused to promote fake anti-virus (AKA scareware) scams.

"The majority of targets are websites hosted by the WordPress content management system, it said. "At the time of writing, more than 200,000 web pages have been compromised, amounting to close to 30,000 unique websites (hosts). The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.