Researchers at the security firm M86 report that hackers have compromised hundreds of Web sites that use the WordPress content management system. The sites, mostly small Web pages and blogs, are being used to fool spam filters and redirect unwitting visitors to drive by download Websites that will install malicious software on vulnerable systems.
The report, published on Monday, provides a partial list of the compromised WordPress websites, most small and obscure and running WordPress Version 3.2.1. According to the post, on M86’s blog, the attacks are part of an ongoing spam campaign that is driving unwitting victims to install the Phoenix exploit kit.
The compromised WordPress sites may not appear infected. In fact, the malicious Web page uploaded by the attackers is not integrated into the compromised WordPress sites. Instead, it is linked to directly from spam e-mail messages sent out to thousands of potential victims. That spam campaign was first identified by the security firm Websense last week.
According to analysis by M86, the compromised sites are playing a bit part in a much larger campaign to direct traffic to a Russia-based Web site that uses the Phoenix exploit kit to compromise the visitors systems using a range of exploits for Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java, each tailored to the configuration of the victim’s machine. The WordPress sites are being used to fool spam filters that look for known, malicious Web domains, M86 said.
The Phoenix exploit kit is becoming more popular, having taken a back seat to the notorious Black Hole Exploit kit in recent months. The increased popularity may be due to the kit becoming, essentially, open source after its source code was leaked in June.
It is unclear how the attackers gained access to the WordPress blogs. However, the popularity of that content publishing platform makes it a popular target for online criminalsm, who can use a vulnerability in the platform to take control of hundreds or thousand of Web sites. In the past, WordPress sites have been used to redirect users to sites running the Black Hole exploit kit.
In recent days, security researchers at Spider Labs warned of a string of exploitable holes in the WordPress setup routine. Those vulnerabilities include a PHP code execution bug and a persistent cross-site scripting flaw. They affect WordPress versions 3.3.1 and later.
At the time, WordPress officials said that they’re not planning to fix the vulnerabilities as there’s only a small possibility of exploitation by attackers.