The Phoenix Exploit Kit, a popular crimeware kit that provides subscription based updates to attackers, is believed to be at the heart of a mass compromise of hundreds of WordPress websites.
According to researchers at M86 Security, at least 400 compromised sites based on WordPress 3.2.1 were redirected to malicious pages set up by the Phoenix crimeware kit. According to M86, the attacker uploaded a HTML page to the standard uploads folder redirecting users to the exploit kit.
Phoenix, which has been used by attackers since at least 2007, delivers a customized exploit Web page based on the user’s browser and operating system. The malicious code can scan a victim’s software for vulnerabilities and then exploit multiple flaws in Adobe Flash, Java, and Internet Explorer. The attack is successful because Phoenix has the ability to easily bypass URL reputation mechanisms and other security technologies, said Daniel Chechik, a senior researcher with M86 Security labs.
“The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine,” Chechik wrote in the company’s blog.
A Phoenix phishing attack designed to lure victims into browsing to the malicious pages was detected by security vendor Websense.
The exploit page, according to M86 is hosted by a Russian domain.
Google Chrome users in the clear
Crimeware toolkits are a very popular way for people to conduct attacks without a lot of technical knowledge. M86 reported on the Siberia Exploit Kit, which was updated in 2010 to automate the process of making alternative variants of malware to dupe antivirus technologies. Users of Microsoft Internet Explorer commonly fall victim to the attacks, according to an analysis of a browser automated exploit kit called Eleonore.
Phoenix attacks Internet Explorer and Firefox users. M86 said users of Google Chrome were not targeted in this specific attack.