Hackers compromised WordPress 3.2.1 sites to serve Phoenix Exploit Kit

CyberCriminals compromised hundreds of websites based on WordPress 3.2.1 and redirect the visitors to Phoenix Exploit Kit , M86 Security Labs warns.

Hackers uploaded a HTML page to the standard uploads folder. They haven’t infect main page or any other page except the uploaded page so that it can’t be detected easily.

They used the compromised websites to bypass URL reputation mechanisms, spam filters and other security policies.In order to lure users to compromised pages, the attacker sent spam mails querying an unfamiliar bill and asking recipients to click on a link as described by Websense blog.

A spam mail spotted by Websense:

Subject: Need your help!

Hello ! Look, I’ve received an unfamiliar bill, have you ordered anything?
[Here is the bill]

Please reply as soon as possible, because the amount is large and they demand the payment urgently

Clicking the link will lead recipient to the Phoenix Exploit Kit(via the compromised Uploaded page).

The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”. The Phoenix Exploit Kit attempts exploiting multiple vulnerabilities in IE Adobe PDF, Flash and Oracle Java .

Interesting observation made by Security experts reveals that Phoenix Exploit Kit is designed such that it will explicitly exclude the Chrome browser for no obvious reason.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s