Compromised WordPress sites lead to Phoenix exploit kit

Several hundred compromised websites that at first glance don’t appear to be malicious have been discovered by M86 researchers.

The websites – mostly blogs and small, private pages – use WordPress 3.2.1 and have been uploaded with an HTML page which redirects the users via a hidden iFrame to a page hosting the Phoenix exploit kit.

“The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine. ” explained the researchers.

The aforementioned approach has been used to evade spam filters and URL reputation mechanisms, as the link to the malicious pages were sent to users via spam emails pretending to come from a friend and asking about an unfamiliar and large bill.

Once the user clicks on the link, he is immediately redirected to the exploit page which is hosted on a Russian domain. The exploit kit automatically identifies the User Agent of the client machine and delivers a customized exploit Web page.

The kit then tries to exploit a number of Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java and, if it succeeds, delivers a variant of the information-stealing Cridex Trojan.

Unfortunately, the question of how the WordPress-based sites were compromised in the first place is still unanswered, but it seems likely that the attackers have found a vulnerability to misuse.