Extendoffice.com has fixed a security hole in its site that was redirecting thousands of users to the Angler exploit kit which was dropping TeslaCrypt ransomware.
The site, which sells add-on software for Microsoft Office, is ranked in Alexa's top 10,000 globally and sits at around 5500 in the US, meaning it has millions of visitors.
According to the Trustwave SpiderLabs team blog, the site was built on Joomla 3.4.3 which is vulnerable to CVE-2015-8562 "Object Injection Remote Command Execution" – a vulnerability that was exploited in the wild as a zero-day before it was patched in December 2015 with the release of version 3.4.6 of Joomla.
The writers of the code used some clever tricks to make the code run in Internet Explorer, the primary target of Angler, but not FireFox.
Kogan said that a quick reference to VirusTotal found that apart from Trustwave, the vulnerability had not been identified by any of the other 66 companies listed.
Trustwave said it notified Extendoffice and its hosting company of the problem but heard nothing back. However, yesterday, the malware had been cleaned from the site.