The Websense ThreatSeeker Network has detected a new wave of mass injections of a well-known exploit and the majority of targets are websites hosted by the WordPress content management system.
Websense sources said that more than 200,000 Web pages have already been compromised, amounting to close to 30,000 unique websites (hosts).
The injection hijacks visitors to the compromised sites and redirects them to rogue AV (anti-virus) sites that attempt to trick them into downloading and installing a Trojan onto their computer.
After a three-level redirection chain, victims land on a fake AV site. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans, said people tracking the threat at Websense.
The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake scanning process looks like a normal Windows application. However, it is only a pop-up window within the browser. The fake anti-virus then prompts visitors to download and run their "anti-virus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.
"It is, we think, an interesting observation that more than 85 percent of the compromised sites are in the United States, while visitors to these websites are more geographically dispersed," said a Websense expert. "We think it's useful to note that while the attack is specific to the US, everyone is at risk when visiting these compromised pages."
"There's nothing new about rogue AV scams," said Elad Sharf, senior security research, Websense Security Labs. "With such a high number of compromised Web pages and websites in this on-going campaign, it's evident these scams are still working. With thousands of compromised sites live at this very moment, companies need real-time security to battle new threats on the fly."
Websense Security Labs said it continues to monitor the evolution of this campaign.
Sign up for Computerworld eNewsletters.