Thousands of WordPress sites sucked into BlackHole

News by Darren Pauli

Researchers have discovered a spike in malware infecting thousands of WordPress websites that use a popular image tool.

Researchers have discovered a spike in malware infecting thousands of WordPress websites that use a popular image tool.

The attacks came to light after French media outlet The Poitou-Charentes Journal began hosting malicious code on its WordPress site.

Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the site.

The attack used the BlackHole exploit kit, which redirected the website's visitors to an external malware-hosting site.

Researchers detected an additional 3,500 unique infected WordPress sites, which redirected visitors to malicious sites between 28 and 31 August. Sirmer said that during September, the company blocked redirects from 2,515 WordPress sites and some 151,000 users had been hit with the malicious redirect from other compromised WordPress sites.

"I expect October results will be similar,” Sirmer said. “The Poitou-Charentes Journal is just one part of a much bigger attack. These compromised sites are part of a network which redirected vulnerable users to sites distributing an array of malware.”

The vulnerability in the TimThumb resizer, identified in August, exists in the way the tool fetches images from websites such as Flickr and Photobucket. The utility runs only a partial check on host names, meaning hackers can upload and execute arbitrary code in the .php cache directory.

Sirmer recommended WordPress sites employ strong login credentials. A fix is available for the TimThumb tool.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews