Fake AV Attack Targets WordPress Users

Security company Websense has detected a new wave of mass-injections of a well-known rogue antivirus campaign, targeting websites hosted by the WordPress content management system.

The company said yesterday that more than 200,000 web pages had been compromised, amounting to around 30,000 unique websites. The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer.

Wensense said the rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a “Windows Security Alert” dialogue box in it, and the fake scanning process looks like a normal Windows application.

The fake antivirus then prompts visitors to download and run their “antivirus tool” to remove the supposedly found Trojans, but the executable is itself the Trojan.

“There’s nothing new about rogue AV scams. With such a high number of compromised web pages and websites in this on-going campaign, it’s evident these scams are still working,” said Elad Sharf, senior security researcher at Websense Labs.

“Vulnerable websites are a rich source of opportunity for cybercriminals. With thousands of compromised sites live at this very moment, companies need real-time security to battle new threats on the fly.”

More than 85 percent of the compromised sites are in the United States. However, Websense warns that everyone is at risk when visiting these compromised pages.

A report by antivirus vendor Kaspersky in October last year found that attacks that distribute fake antivirus software had decreased considerably, due to a combination of law enforcement efforts, improvements in search engine filtering algorithms, and actions undertaken by the security community to disrupt cybercriminal distribution networks.