Mysterious spike in wordpress hacks silently delivers ransomware to visitors _ ars technica

It’s still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users.

In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites. Free backup software for windows 7 The attack sites host code from the Nuclear exploit kit that’s available for sale in black markets across the Internet.

Best backup software for windows 10 People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them.

“WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads,” Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. Free backup software windows 7 “This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit.”

According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files. Best free backup software for windows 7 64 bit The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below:

To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors. Pc backup software free download To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. The best free backup software Sucuri said Google’s Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse. Backup driver software A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged.

Heimdal Security also warned that antivirus programs may do little to protect end users. Auto backup software free During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn’t provide specifics). Program backup software Driveby attacks not just on porn sites anymore

The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust. Server backup software review The best defense against such driveby attacks is to install security updates as soon as they become available. Free backup and restore software Other measures include running Microsoft’s Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google’s Chrome browser if possible.

It’s not yet clear how the WordPress sites are getting infected in the first place. Best backup software for android to pc It’s possible that administrators are failing to lock down the login credentials that allow the site content to be changed. Free disk backup software It’s also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Best backup software for mac Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that’s causing many hacked sites to be repeatedly reinfected. Best local backup software As Sucuri researcher Denis Sinegubko wrote:

The malware tries to infect all accessible .js files. Automatic file backup software This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination. Win 7 backup software It’s not enough to clean just one site (e.g. Top free backup software the one you care about) or all but one (e.g. Easy backup software you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection. Best free data backup software In other words, you either need to isolate every site or clean/update/protect all of them at the same time!

People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication. Sql backup software This post will be updated if researchers uncover a cause of this ongoing hack campaign. List of backup software Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.