Pirate Bay cloned and serving up malware
Posted by: Timothy Weaver on 04/08/2015 08:48 AM
[
Comments
]
MalwareBytes has found in the last few days that multiple WordPress sites are injected with a malicious iframe.
Jerome Segura, Senior security researcher at Malwarebytes Labs, said: "This exploit kit targets most browser plugins but it focuses in particular on the Flash Player which was affected by no less than three zero days in the span of a month."
The iframe redirects victims to a phony version of The Pirate Bay site. Once there, victims are served the Nuclear exploit kit via a drive-by download attack.
"And I can add something that I didn't mention originally, in that the site does not index real torrent results but rather pushes a program, maybe to collect affiliate kickbacks," he said.
"We believe it has to do with a WordPress plugin rather than the CMS itself," Segura noted. "We have seen similar attacks in recent months taking advantage of the RevSlider Plugin and this could be linked to it."
"Once the vulnerability has been exploited, the bad guys usually upload backdoors and shells designed to not only maintain control of the compromised website but also alter its core files, such as injecting iframes," he added.
WordPress is one of the most popular content management software. Segura suggested that all users of WordPress make sure the software is up to date and that users not try accessing the sites from public WiFi sites.
Source: Securityweek
Jerome Segura, Senior security researcher at Malwarebytes Labs, said: "This exploit kit targets most browser plugins but it focuses in particular on the Flash Player which was affected by no less than three zero days in the span of a month."The iframe redirects victims to a phony version of The Pirate Bay site. Once there, victims are served the Nuclear exploit kit via a drive-by download attack.
"And I can add something that I didn't mention originally, in that the site does not index real torrent results but rather pushes a program, maybe to collect affiliate kickbacks," he said.
"We believe it has to do with a WordPress plugin rather than the CMS itself," Segura noted. "We have seen similar attacks in recent months taking advantage of the RevSlider Plugin and this could be linked to it."
"Once the vulnerability has been exploited, the bad guys usually upload backdoors and shells designed to not only maintain control of the compromised website but also alter its core files, such as injecting iframes," he added.
WordPress is one of the most popular content management software. Segura suggested that all users of WordPress make sure the software is up to date and that users not try accessing the sites from public WiFi sites.
Source: Securityweek
Comments
