Security researchers are warning that some 30,000 WordPress websites, 85% of them based in the US, have been compromised by a mass-injection hijack attack which sees visitors to any of more than 200,000 individual pages redirected to a Trojan infected rogue AV scam.

The senior security researcher with Websense Labs, Elad Sharf, admits that while rogue AV is old hat these days it's obviously still a money-making exercise and one that turns enough profit for the bad guys for them to keep plodding away at it. "With such a high number of compromised web pages and websites in this on-going campaign, it's evident these scams are still working. Websense Security Labs has been following this mass injection campaign for months and we've seen over 200k web pages and close to 30k unique websites compromised" Sharf says, adding "vulnerable websites are a rich source of opportunity for cybercriminals".

According to the researchers who have been working with data from the Websense Threatseeker Network, the vast majority of the targets of this latest mass-injection exploit are based in the US. In fact, some 85% of them it would seem, and most are also hosted by the WordPress content management system.

The actual code that is injected into these vulnerable sites is pretty short, as is the norm, and can be found nestling just before the closing 'body' tag at the bottom of an infected page. What it does is the same old same old, hijacking unsuspecting visitors to those pages and redirecting them, via a three-level chain in this instance, to a rogue AV site where social engineering and fear factor techniques are employed in an attempt to get them to install malware in the form of a Trojan.

Websense Security Labs discovered that the first link in the redirection chain points to a rr.nu domain (which is the South Pacific island state of Niue) and ultimately drops the user onto a landing page at a de.lv domain in Latvia. Or at least it may be, as the landing page is changing all the time so the researchers have found. One thing that doesn't change is what happens when the victim arrives, and that is the fake scanning of the computer which results in a 'you are infected' popup claiming a bunch of equally fake malware detections.

The bad guys have made the page look as much like a Windows Explorer window as possible, complete with a Windows Security Alert dialogue box in order to help convince the victim that everything is genuine. If successful, the victim will follow the prompts to download and install an antivirus application which is nothing of the sort, instead being a Trojan executable

Attachments wordpressscrae.jpg 45.32 KB

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

5 Years
Discussion Span
Last Post by occirats

Contact your AV security vendor, and if you do not have one then contact Websense (use the link in the article itself as a starting point) and ask them for advice on removal. I'm sure they will point you in the right direction.

Edited by happygeek: typo


aside from your normal AV client, i would recommend you try scanning your system with Malware bytes scanning tool. they have a free tool you can download.


thank you..i did do malwarebytes and it removed it i am pretty sure, but not certain..

my AV is microsoft security essentials...i will contact websense if i cant get any results..thank you

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.