A researcher has found evidence of thousands of compromised WordPress blogs that are being used to insert malicious images into Google search results.
The report, from the unmaskparasites.com blog, may be evidence of the after affects of a widespread attack on WordPress blogs reported last week, or evidence of a vulnerability in WordPress itself, said Denis Sinegubko, the founder of Unmask Parasites.
Writing on Friday, Sinegubko said he had discovered 4,358 self-hosted WordPress blogs stuffed with images and juicy keywords designed to attract Google’s web crawlers. The compromised blogs didn’t share an owner or a hosting provider. All had been taken over and populated with scores of “doorway” pages – plain template pages formatted to host dozens of keyworded images each.
Sinegubko said believes that the scammers behind the attack cull images from other Web pages based on the Google image search popularity rating, then repost them on their Web site. While clicking on the images and thumbnails on the compromised blogs won’t do anything, clicking the link to the same image in Google image search results will redirect the victim to a Website that pushes out Web based exploits and installs rogue malware, he said.
Many of the sites are new and the attackers appear to be using a revolving list of compromised domains to host the attacks. Google’s Safe Browsing Web filtering technology is only detecting around 5% of the compromised pages, he said.
The source of the compromises is unclear. Most of the WordPress blogs hosting the malicious images are patched, though Sinegubko said that its possible the compromises could be due to a compromise of a vulnerability, such as the one discovered in timthumb, an image resizing utility, last week.
Search engine poisoning using images is a popular method of funneling traffic to malicious Web sites. Attackers frequently use popular images or news events to tag images, increasingly the attractiveness of those images to search engine crawlers. Users who click the links to images or videos are redirected to Web sites that launch attacks on vulnerabilities in their browser or applications, forcing malicious programs onto the machine.