Sucuri Security, a provider of Web integrity monitoring solutions, warns that a new wave of malicious code injection attacks is targeting outdated WordPress sites. Users visiting the compromised websites will be directed to pages serving a FakeAV variant.
The new attacks are a reiteration of the mass compromises that affected thousands of WordPress blogs hosted at GoDaddy, BlueHost and other companies in recent months. The hackers perform automated scans to locate vulnerable installations and inject rogue code into the php pages.
This code is obfuscated via a base64 encoding function, which when evaluated outputs an HTML script element loading content from an external domain. In this case the script's src attribute points to a php script on whereisdudescars.com.
This script only serves as a redirector to other malicious domains, apparently from the .co.cc space. Sucuri mentions realprotection36.co.cc, but when we tested we got redirected to a different one. Regardless of the domain name, the landing pages are part of a typical scareware scheme, which mimic antivirus scans.
At the end of the fake scanning procedure, users are told that their computers are infected and are asked to download a file called packupdate###_####.exe (where # is a random digit). These files are the installers for a new FakeAV variant, which at the moment has a very low AV detection rate.
“What is interesting is the people behind this attack. Do you remember the losotrana attack amongst the various others we’ve discussed in the past few months? Well, the people involved in this one are the same. Check out the WHOIS contact info for whereisdudescars.com. It’s the same email@example.com that registered losotrana.com, holasionweb.com and others,” David Dede, a security researcher at Sucuri, writes.
The security vendor has also developed an automated script that people can use to clean their compromised websites. The script can be downloaded from http://sucuri.net/malware/helpers/wordpress-fix_php.txt, needs to be renamed to .php, uploaded to the server and executed by accessing it in a browser. If this method doesn't work, the company offers technical assistance for a fee.
You can follow the editor on Twitter @lconstantin