Insecure WordPress blogs unwittingly host Blackhole malware attack

Insecure WordPress blogs unwittingly host Blackhole malware attack

SophosLabs has intercepted a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit.

Be on your guard if you have received an email entitled “Verify your order”, as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.

Here’s what a typical email looks like:

Malicious email

Subject: Verify your order

Message body:
Dear [name],

please verify your order #[random number] at [LINK]

We hope to see you again soon!

WordPressThe websites that are being linked to aren’t ones that have been created by the malicious hackers.

They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the service – the vulnerable sites are those where people have installed their own WordPress software).

Unfortunately, some people haven’t properly secured their sites – which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users’ computers.

Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM.

More and more of the attacks that we are intercepting involve the Blackhole exploit kit – recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications.

Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins that it might use).