The Phoenix Exploit Kit, a popular crimeware kit that provides subscription based updates to attackers, is believed to be at the heart of a mass compromise of hundreds of WordPress websites.
According to researchers at M86 Security, at least 400 compromised sites based on WordPress 3.2.1 were redirected to malicious pages set up by the Phoenix crimeware kit. According to M86, the attacker uploaded a HTML page to the standard uploads folder redirecting users to the exploit kit.
Phoenix, which has been used by attackers since at least 2007, delivers a customized exploit Web page based on the user’s browser and operating system. The malicious code can scan a victim’s software for vulnerabilities and then exploit multiple flaws in Adobe Flash, Java, and Internet Explorer. The attack is successful because Phoenix has the ability to easily bypass URL reputation mechanisms and other security technologies, said Daniel Chechik, a senior researcher with M86 Security labs.
“The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine,” Chechik wrote in the company’s blog.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
attack designed to lure victims into browsing to the malicious pages was detected by
security vendor Websense.
The exploit page, according to M86 is hosted by a Russian domain.
Google Chrome users in the clear
Crimeware toolkits are a very popular way for people to conduct attacks without a lot of technical knowledge. M86 reported on the Siberia Exploit Kit, which was updated in 2010 to automate the process of making alternative variants of malware to dupe antivirus technologies. Users of Microsoft Internet Explorer commonly fall victim to the attacks, according to an analysis of a browser automated exploit kit called Eleonore.
Phoenix attacks Internet Explorer and Firefox users. M86 said users of Google Chrome were not targeted in this specific attack.