Web Reconnaissance Attack Infects 3,500 Websites, Possibly WordPress

Share this…

Attackers are adding unauthorized code at the top of infected websites, over 3,500 8sites already infected.

Alarms are ringing in Symantec’s offices, as its research team has discovered a massive Web injection campaign that’s currently infecting Web servers around the Internet.

According to telemetry data received from Symantec security products, the company’s staff has identified a common pattern in the source code of many websites.

Since the beginning of the year, unknown attackers have started adding the same piece of JavaScript code to multiple websites that should not be connected in any way.

Symantec estimates this number to be around 3,500, with over 75% hosted in the US, and the rest in India, the UK, Italy, Japan, France, Canada, Russia, Brazil, and Australia. Most of the infected websites belong to private businesses, educational institutes, and government websites.

Automated scripts help attackers exploit the infected sites

“More than likely the attackers are using automated scripts to scan these websites so they can automatically exploit bugs and possibly inject malicious HTML code into the vulnerable sites,” explained Christian Tripputi, Security Response Manager for Symantec.

The unauthorized code added at the top of the websites is not malicious, but Symantec says it’s collecting private data on visitors, like user IP, page title, page URL, URL referral, Flash version, user language settings, and screen resolution.

The most simple explanation is that attackers are currently in the attack’s early stage where they’re collecting data on website visitors, which they will later use to select the appropriate attack type for each infected site’s visitors base.

It would be extremely easy for attackers to replace the current unauthorized code with something more malicious that redirects users to an exploit kit, and from there, deliver banking trojans, adware or ransomware.

Is WordPress the victim?

Symantec said that the unauthorized code exploited only one “common content management system.” In Symantec’s security advisory, the company mentioned WordPress, but we could not determine if it was used as an example or WordPress was referred to specifically because of this current campaign.

Taking into account the huge collection of security vulnerabilities available in past WordPress cores, plugins, and custom themes, along with the fact that the WordPress market is still very much fragmented, the CMS does look like the prime subject. Being used on more than a quarter of the Internet also makes WordPress an attractive target for hackers.

Softpedia has contacted Symantec for more details and to confirm our WordPress suspicion.

Detection timeline for this mass Web injection campaign

Detection timeline for this mass Web injection campaign