Hackers compromised WordPress 3.2.1 sites to serve Phoenix Exploit Kit

CyberCriminals compromised hundreds of websites based on WordPress 3.2.1 and redirect the visitors to Phoenix Exploit Kit , M86 Security Labs warns.

Hackers uploaded a HTML page to the standard uploads folder. They haven't infect main page or any other page except the uploaded page so that it can't be detected easily.

They used the compromised websites to bypass URL reputation mechanisms, spam filters and other security policies.

In order to lure users to compromised pages, the attacker sent spam mails querying an unfamiliar bill and asking recipients to click on a link as described by Websense blog.

A spam mail spotted by Websense:

Subject: Need your help!

Hello ! Look, I've received an unfamiliar bill, have you ordered anything?
[Here is the bill]

Please reply as soon as possible, because the amount is large and they demand the payment urgently

Clicking the link will lead recipient to the Phoenix Exploit Kit(via the compromised Uploaded page).

The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”. The Phoenix Exploit Kit attempts exploiting multiple vulnerabilities in IE Adobe PDF, Flash and Oracle Java .

Interesting observation made by Security experts reveals that Phoenix Exploit Kit is designed such that it will explicitly exclude the Chrome browser for no obvious reason.