Categories: SecurityWorkspace

Rogue Antivirus Campaign Targets WordPress

A new wave of mass-injections of a fake antivirus campaign that appears to be targeting sites hosted by popular blogging platform WordPress, according to Websense it has detected

The company says that it has been tracking the threat for the last few months and that more than 200,000 web pages have been affected on nearly 30,000 websites

Stop, it’s a trap

The injection uses a three level redirection chain that takes users from compromised sites to a rogue antivirus site that attempts to trick them into downloading and installing a Trojan onto their system. The rogue AV site opens a page that appears to perform a scan on the computer and scares users by saying that it has detected a number of Trojans on their hard drive.

The page looks like a Windows Explorer window, albeit Windows XP, but in reality is simply a pop-up within the web browser. It tells users to download and run a bogus antivirus tool to remove the Trojans, but the fake software is in fact itself a Trojan.

Websense reports that although 85 percent of the compromised sites are located in the US, visitors are more widely dispersed. Rogue antivirus campaigns have long affected users of Windows and last year, Apple was forced to admit the threat of MadDefender scareware and issue instructions on how to avoid it or remove it.

Stop and reboot

“Websites can often get hacked through known security issues where software (the type used to host the site) is not kept up to date,” commented Mark James, technical team leader at ESET UK. Furthermore, compromised servers that have code injected into the website itself at source, again through poor security or “backdoors”, pose a problem.”

“Another security issue that can happen, is people forget to reset/change ‘default’ passwords or administrator logins when they use ‘off the shelf’ or free software,” he added. Often these programmes have secret access keys built in that need to be changed and will thus allow complete access to the system. “

He recommends that if a user is redirected they should, rather sensibly but fairly obviously, stop what they are doing, close the browser either “forcefully or gracefully” before rebooting and running a full antivirus scan.

This new security threat comes almost exactly a year after WordPress was hit by a large Distributed Denial of Service (DDoS) attack that affected connectivity to a number of its hosted blogs. The attack was the largest that the blogging platform had ever seen and was said to have originated from China. It later admitted that the hackers had gained access to multiple servers and stole the source code that powered the blogs of many of its customers.

Are you safe from Trojans? Take our quiz

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

21 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

22 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

23 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago