Recent analysis show that Cyber criminals are using out-of-date CMSs, usually WordPress and Joomla websites, to hijack Web traffic and redirect users to rogue websites hosting the Neutrino exploit kit that’s infecting victims with CryptXXX ransomware.
The data provided by the Web security company Sucuri states that the latest campaign, called Realstatistics, has been raging on for the past couple of weeks, with at least 100 new infected websites detected every day. The company claims that it has detected at least 2,000 websites affected by the recent campaign. Considering the fact that this data comes from sites using the Sucuri site checker, this number could be even higher. According to Daniel Cid, founder and CTO of Sucuri, the real number could be five times bigger.
Having in mind all the infected systems, Cid says that around 90% of all websites are running some sort of CMS platform and that WordPress and Joomla account together are 60% of that total. Considering the CMS version numbers, it doesn’t seem that hackers are leveraging a core vulnerability, since up-to-date websites are also compromised, meaning that the creators of Realstatistics are probably using vulnerabilities in plugins to hack these websites.
The name Realstatistics comes from the realstatistics[.]info and the realstatistics[.]pro domains used in the campaign. Cyber criminals hijack these websites and add a malicious JS script loaded from these two domains. Currently, only the last domain is active, being deployed on hijacked sites after July 1.
The rogue script is responsible for diverting incoming traffic and redirecting users to another URL hosting the Neutrino exploit kit. There, using Flash or PDF Reader vulnerabilities, the exploit kit pushes the CryptXXX ransomware on PCs running out-of-date & vulnerable versions of this software.
The good news here is that Google has started detecting the malicious source code added to these websites and has begun flagging infected domains. All users who want to check their websites can use Sucuri SiteCheck, or they can look for the malware script (script language=”JavaScript” src=”http://realstatistics[.]pro[/]js/analytic.php?id=4″) in their website’s source code.
