Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last 2 weeks ( codenamed “Realstatistics”). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS). We have codenamed the campaign “Realstatistics” because of the domain being used by the attackers. The following fake analytics code was… More Info »
Tag Archives: Website Malware
New Wave of the Test0/Test5.com Redirect Hack
Last week we described the hack that randomly redirected site visitors either to a parked test0 .com domain or to malicious sites via the default7 .com domain. This week the default7 .com domain went down but the attackers returned with a new wave of site infections and the new redirecting domain – test5 .xyz (registered just a fewRead More Info »
WordPress Redirect Hack via Test0.com/Default7.com
We’ve been working on a few WordPress sites with the same infection that randomly redirects visitors to malicious sites via the default7 .com / test0 .com / test246 .com domains. In this post, we’ll provide you with a review of this attack, investigated by our malware analyst, John Castro. Header.php Injection In all cases, theRead More Info »
Website Ransomware – CTB-Locker Goes Blockchain
During the last couple of years, website ransomware has become one of the most actively developing types of malware. After infamous fake anti-viruses, this it the second most prominent wave of malware that makes money by directly selling “malware removal” services to users of infected computers. But unlike fake anti-viruses, that were mostly harmless, and used as aRead More Info »
Website Malware – Evolution of Pseudo Darkleech
Last March we described a WordPress attack that was responsible for hidden iframe injections that resembled Darkleech injections: declarations of styles with random names and coordinates, iframes with No-IP host names, and random dimensions where the random parts changed on every page load. Back then, we identified that it was not a server-level infection. TheRead More Info »
vBulletin Exploits in the Wild
The vBulletin team patched a serious object injection vulnerability yesterday, that can lead to full command execution on any site running on an out-of-date vBulletin version. The patch supports the latest versions, from 5.1.4 to 5.1.9. The vulnerability is serious and easy to exploit; it was used to hack and deface the main vBulletin.com website. As aRead More Info »
WordPress Malware – VisitorTracker Campaign Update
For the last 3 weeks we have been tracking a malware campaign that has been compromising thousands of WordPress sites with the VisitorTracker malware code. We initially posted some details about this issue on this blog post: WordPress Malware – Active VisitorTracker Campaign, but as the campaign and the malicious code has evolved, we decided provideRead More Info »
.htaccess Tricks in Global.asa Files
As you might know a lot of hacks use Apache configuration .htaccess files to override default web site behavior: add conditional redirects, create virtual paths (e.g mod_rewrite), auto-append code to PHP scripts, etc. In the world of IIS/ASP there is also an equivalent — Global.asa files. This file contains common declarations for all ASP scripts andRead More Info »
Website Malware – The SWF iFrame Injector Evolves
Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varieties More Info »
Website Malware – The SWF iFrame Injector Evolves
Last year, we released a post about a malware injector found in an Adobe Flash (.SWF) file. In that post, we showed how a .SWF file is used to inject an invisible, malicious iFrame. It appears that the author of that Flash malware continued with this method of infection. Now we are seeing more varietiesRead More Info »