Thousands of websites that run the content management system WordPress have been hijacked by hackers to infect unsuspecting visitors with malware exploits. Although the entire campaign was initiated 15 days ago, its activity has increased tremendously in the past 2 days, as the number of websites being hijacked per day increased from 1000 to 6000.
The purpose of hijacking these websites is to use them as relays to redirect any visitor to a server which hosts an attacking code that is provided by the Nuclear Exploit Kit. The method used to exploit this vulnerability to cause damage to the user’s system and data depends on the operating system as well as the apps that are installed on the system.
Daniel Cid (Sucuri's CTO) said:
“If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can. What’s the easiest way to reach out to endpoints? Websites, of course.”
The attackers, according to the report by Sucuri, exploit vulnerabilities in the plugins of WordPress, but this claim has not been confirmed.
Google has launched a service that blacklists the compromised websites and warns users before they visit them. 17% of the websites infected by the campaign have already been blacklisted. One stunning piece of information is that the attackers have managed to gain access of Coverity, a security provider, and are using it for their redirection mechanism.
They advise WordPress users to keep all their plugins updated in order to prevent themselves from being attacked by this malicious campaign. The report also provides website owners a Sucuri scanning tool to check whether their website has been affected by the VisitorTracker campaign.
Monday, September 21, 2015