30,000 Wordpress Sites Infected to Redirect to Fake AV Sites

Posted 03/07/2012 at 10:17pm | by Pulkit Chandna

2

Comments

Print

Fake antivirus is by no means a recent phenomenon. In fact, it has been around for ages, with the first documented instance of fake antivirus reportedly dating back to 1989. Of course, it has become much more widespread over the past few years. But in case you needed reminding that rogue antivirus software continues to be a threat, security firm Websense has just the reminder for you.

The security firm has warned about “a new wave of mass-injections of a well-known rogue antivirus campaign that we've been following in Security Labs for months.” According to the firm, no less than 30,000 Wordpress-based unique sites have been compromised and injected with malicious code as part of this fake antivirus campaign. Placed at the bottom of the compromised page, the injected code simply redirects users to rogue antivirus sites so that they can be fooled into downloading and installing a Trojan from there.

“After a three-level redirection chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing,” the company said in a blog post.

“The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it.  The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.”

It’s worth noting that over 85 percent of the compromised sites are based in the States. However, only about 50 percent of all visitors to these sites are said to be from the U.S., with the rest being spread far and wide.