Rogue Antivirus Campaign Targets WordPress

A new wave of mass-injections of a fake antivirus campaign that appears to be targeting sites hosted by popular blogging platform WordPress, according to Websense it has detected

The company says that it has been tracking the threat for the last few months and that more than 200,000 web pages have been affected on nearly 30,000 websites

Stop, it’s a trap

The injection uses a three level redirection chain that takes users from compromised sites to a rogue antivirus site that attempts to trick them into downloading and installing a Trojan onto their system. The rogue AV site opens a page that appears to perform a scan on the computer and scares users by saying that it has detected a number of Trojans on their hard drive.

The page looks like a Windows Explorer window, albeit Windows XP, but in reality is simply a pop-up within the web browser. It tells users to download and run a bogus antivirus tool to remove the Trojans, but the fake software is in fact itself a Trojan.

Websense reports that although 85 percent of the compromised sites are located in the US, visitors are more widely dispersed. Rogue antivirus campaigns have long affected users of Windows and last year, Apple was forced to admit the threat of MadDefender scareware and issue instructions on how to avoid it or remove it.

Stop and reboot

“Websites can often get hacked through known security issues where software (the type used to host the site) is not kept up to date,” commented Mark James, technical team leader at ESET UK. Furthermore, compromised servers that have code injected into the website itself at source, again through poor security or “backdoors”, pose a problem.”

“Another security issue that can happen, is people forget to reset/change ‘default’ passwords or administrator logins when they use ‘off the shelf’ or free software,” he added. Often these programmes have secret access keys built in that need to be changed and will thus allow complete access to the system. “

He recommends that if a user is redirected they should, rather sensibly but fairly obviously, stop what they are doing, close the browser either “forcefully or gracefully” before rebooting and running a full antivirus scan.

This new security threat comes almost exactly a year after WordPress was hit by a large Distributed Denial of Service (DDoS) attack that affected connectivity to a number of its hosted blogs. The attack was the largest that the blogging platform had ever seen and was said to have originated from China. It later admitted that the hackers had gained access to multiple servers and stole the source code that powered the blogs of many of its customers.

Are you safe from Trojans? Take our quiz