WordPress, Joomla Sites Serve Scareware
The attackers seem to be using a tool that tries several Joomla and WordPress exploits to see if one works.
The SANS Institute's Internet Storm Center (ISC) is warning that several Joomla and WordPress Web site appear to have been compromised and are hosting malicious iframes.
What's particularly interesting about this, the ISC's John Bambenek noted in a blog post, "is that it doesn't seem to be a scanner exploiting one vulnerability but some tool that's basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits."
"Joomla sites built with extensions were, in particular, being exploited, Bambenek said," writes Threatpost's Michael Mimoso. "The ISC report identified a pair of IP addresses, 22.214.171.124 and 126.96.36.199, as the biggest offenders. The exploits, Bambenek said, were loading scareware on victims’ computers."
"Fake antivirus threats display a fraudulent scanning result to intimidate users into 'purchasing' the fake antivirus program," writes The Next Web's Emil Protalinski. "The Fake AV malware family is being pushed in this case, which features variants for Windows XP, Windows Vista, Windows 7, and even Windows 8."
"It appears that the criminals have now started to cash in: they are using so-called Traffic redistribution systems that buy and sell web traffic, and bogus anti-virus software that urges users to buy a pro version, to convert the hijacked servers into hard cash," The H Open reports. "Both approaches are functional and widely used business models in the cyber underworld."