The PhoenixExploit Kit, a popular crimeware kit that provides subscription based updates to attackers, isbelieved to be at the heart of a mass compromise of hundreds of WordPress websites.
According to researchers at M86 Security, at least 400 compromised sites based on WordPress3.2.1 were redirected to malicious pages set up by the Phoenix crimeware kit. According to M86, theattacker uploaded a HTML page to the standard uploads folder redirecting users to the exploitkit.
Phoenix, which has been used by attackers since at least 2007, delivers a customized exploit Webpage based on the users browser and operating system. The malicious code can scan a victimssoftware for vulnerabilities and then exploit multiple flaws in Adobe Flash, Java, and InternetExplorer. The attack is successful because Phoenix has the ability to easily bypass URL reputationmechanisms and other security technologies, said Daniel Chechik, a senior researcher with M86Security labs.
The content uploaded by the attacker is not part of the home page and will not show when usersbrowse these websites. In fact, accessing any page on these compromised WordPress sites,other than the uploaded page, will not infect the users machine, Chechik wrote in the companysblog.
A Phoenixphishing attack designed to lure victims into browsing to the malicious pages was detected bysecurity vendor Websense.
The exploit page, according to M86 is hosted by a Russian domain.
Google Chrome users in the clear
Crimeware toolkits are a very popular way for people to conduct attacks without a lot oftechnical knowledge. M86 reported on the SiberiaExploit Kit, which was updated in 2010 to automate the process of making alternative variantsof malware to dupe antivirus technologies. Users of Microsoft Internet Explorer commonly fallvictim to the attacks, according to an analysis of a browser automated exploitkit called Eleonore.
Phoenix attacks Internet Explorer and Firefox users. M86 said users of Google Chrome were nottargeted in this specific attack.
0 comments:
Post a Comment