Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday.
The campaign began 15 days ago, but over the past 48 hours the number of compromised sites has spiked, from about 1,000 per day on Tuesday to close to 6,000 on Thursday, Daniel Cid, CTO of security firm Sucuri, said in a blog post. The hijacked sites are being used to redirect visitors to a server hosting attack code made available through the Nuclear exploit kit, which is sold on the black market. The server tries a variety of different exploits depending on the operating system and available apps used by the visitor.
Sucuri CTO Daniel Cid admitted as much in a blog post where he explained that the number of sites targeted per day went from 1,000 on Tuesday to almost 6,000 by Thursday as attackers aggressively look to target end users.
“If you think about it, the compromised websites are just means for the criminals to get access to as many endpoint desktops as they can,” Cid said. “What’s the easiest way to reach out to endpoints? Websites, of course.”
Just 17% of sites blocked
The malware, known as ‘visitorTracker_isMob’, is thought to be taking advantage of vulnerabilities in WordPress plugins, however, Sucuri still hasn’t been able to work out how the sites are actually being hacked into.
Google has already blocked some 17% of the attacked sites. The warnings inform users that the site in question has been compromised and gives them the choice whether to proceed or not. Cid went on to add that the attackers have also managed to crack security provider Coverity, something that is being used to their advantage.
For an analysis of your current website, please call me 1 877 889-2573