Insecure WordPress blogs unwittingly host Blackhole malware attack

Filed Under: Featured, Malware, Spam, Vulnerability

SophosLabs has intercepted a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit.

Be on your guard if you have received an email entitled "Verify your order", as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.

Here's what a typical email looks like:

Malicious email

Subject: Verify your order

Message body:
Dear [name],

please verify your order #[random number] at [LINK]

We hope to see you again soon!

WordPressThe websites that are being linked to aren't ones that have been created by the malicious hackers.

They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the service - the vulnerable sites are those where people have installed their own WordPress software).

Unfortunately, some people haven't properly secured their sites - which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users' computers.

Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM.

More and more of the attacks that we are intercepting involve the Blackhole exploit kit - recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications.

Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins that it might use).

, , , , ,

You might like

12 Responses to Insecure WordPress blogs unwittingly host Blackhole malware attack

  1. @ethicalhack3r · 1154 days ago


    Is there any indication as to which specific vulnerabilities are being exploited within WordPress or any of its third party code?


    • Graham Cluley · 1154 days ago

      Not that we have determined so far I'm afraid. But nonetheless, we know that many bloggers are running out-of-date versions of WordPress - always a good idea to keep it updated, and ensure that you have permissions set up correctly and are only running appropriate (and up-to-date) plugins.

      Some good advice here:

  2. sucuriblog · 1154 days ago

    Also, WordPress users can scan their sites here: (quick free scan) to see if they are outdated or hosting any visible malware.

  3. Chilliwack Design · 1154 days ago

    Always keep WordPress and your plugins updated to the newest version. Even if your plugins are deactivated, they are still accessible and can pose a threat if they're not kept up to date.

    Also make sure that if you have any file-upload plugins on your site that they're secure by restricting the file extensions that can be uploaded.

  4. Just Ask Kim · 1151 days ago

    Do you have a post on what you feel the proper process is for securing WordPress?

  5. PC.Tech · 1146 days ago

    @ Just Ask Kim

    "WordPress Plugin" search results ...
    Found: 408 Secunia Security Advisories ...

    "... does -not- include the many millions of bloggers who use the service - the vulnerable sites are those where people have installed their own WordPress software..."


  6. Jenna · 1135 days ago

    So I just disabled the plugins in Chrome; according to my tools icon it's now disabled for Windows too? Is this right? Am I safe now? And how can I tell if I'm already infected?

  7. K Taylor · 977 days ago

    This problem is now hitting Drupal something fierce.

    I've been fighting this for over a month, it is a very persistent little bugger. You can read my saga here:

    Desktop based AV systems can keep your desktop clean... but cleaning your website code is a serious pain in the backside, there seems to be no tools to clean your infected website files. What's worse - is that even after cleaning the exploit infection it can recur within minutes or hours.

    Also beware of free site scan tools like Securi. They often simply reference what Google has found and flagged themselves, which can lead to you pulling your hair out because you delete the infected files or even all of the files and they still report infections because they are referncing old Google Webmaster Tools reports. These sites arent dangerous to your site but they can reference old data so they are of little use in realtime scanning to see if you've succeeded in removing the infection.

  8. Alex Zarfati · 847 days ago

    I like it . Nice information. thanks !!!

  9. medyum istanbul · 836 days ago

    Greetings! Very useful advice within this post! It's the little changes that will make the greatest changes. Thanks a lot for sharing!

  10. medyum · 797 days ago

    It’s hard to come by knowledgeable people on this subject, however, you sound like you know what you’re talking about! Thanks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley