Websense has detected a new wave of mass-injections of a well-known rogue antivirus campaign. More than 200,00 web pages have been compromised ,amounting to close 30,000 unique Web hosts, the majority of targets are Web sites hosted by the WordPress CMS.
The compromised websites redirects users to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer.
Hackers inject the external javascript code at the end of the web page before </body> tag. After a three-level redirection chain, victims land on a fake AV site.
The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it.
The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.
Researchers observed that more than 85% of the compromised sites are in the United States.
The compromised websites redirects users to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer.
Hackers inject the external javascript code at the end of the web page before </body> tag. After a three-level redirection chain, victims land on a fake AV site.
The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it.
The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.
Researchers observed that more than 85% of the compromised sites are in the United States.
