In September, eSoft reported as many as 720,000 compromised sites hosting fake blog pages and being used to distribute rogue anti-virus programmes. Many of these sites are still active and continue to plague searches with malicious results.
Earlier today, Cyveillance issued this report of a nearly identical attack with over 260 000 dangerous URLs prompting the Threat Prevention Team to revisit this threat.
Between the newly reported Cyveillance URLs and additional URLs discovered by eSoft, there are now well over 800 000 active URLs matching this pattern. Surprisingly, Google only detects a small portion of these sites as malicious.
The key to this scheme is javascript uploaded to the compromised server and used in the fake blog pages. Using this technique allows the attackers to quickly and easily change distribution points and payloads. The current payloads have low detection rates among AV scanners.
The eSoft Threat Prevention Team is tracking this threat, flagging associated domains into their appropriate security categories. More information on this threat can be obtained on the eSoft ThreatCenter Blog.