A large number of Joomla websites, and some WordPress sites, have been compromised and set up to serve malware to visitors, mainly fake AVs (scareware).
Germany’s CERT-Bund researchers have investigated this cybercriminal campaign and, according to The H, they found that the attackers have injected iFrames into the hijacked sites to redirect users to an exploit kit via the Sutra Traffic Distribution System.
The initial infections were most likely achieved with the use of automated scripts that exploited known vulnerabilities in the Joomla Content Editor.
In this case, the crooks are making a profit via two channels. First they earn some money from the internauts who pay for the registration fees asked by the fake antivirus applications.
They also make some money by using the traffic redistribution systems detailed around one year ago by experts from Symantec.