According to Andrew Brandt, a security researcher with the firm, a number of sites have been hit with a wave of attacks that surreptitiously infect unsuspecting visitors with a wide variety of malware types.
The first wave, he says, inflicted rogue anti-virus code on unlucky victims, but late last week victims who visited infected sites were redirected into a drive-by download portal that pushes clickers – internet users who click on an attractive link when they see it – onto a vulnerable visitor's computer.
"The affected web sites have been modified to add malicious, obfuscated Javascript code to the footer of each page", said Brandt, adding that some web hosts are trying to notify customers or fix the problems.
"At first, the problem affected sites that run the open-source WordPress publishing system, but the attack has broadened into non-WordPress sites. The gobbledygook Javascript opens an iframe hosted from a different site, and the code that loads inside that iframe redirects the victim's browser to yet another site, which loads the infection and executes it", he explained in a security blog.
Brandt went on to say that, in the earlier attacks that began the week of April 5th, the malicious script directed victims to a page hosting the Eleonore exploit kit.
The kit, he explained, uses several well-worn methods to try to push executable malware at susceptible browsers, or computers running vulnerable versions of Adobe Acrobat or the Java Runtime Engine.
Those attacks, says the Webroot researcher, originated from several domains – including corpadsinc.com, mainnetsoll.com, and networkads.net – all of which are hosted on the same IP address in Turkey, and are still live and hosting the exploit page.
But last week the script began directing users into a page on the domain name yahoo-statistic.com, a site which, despite its name, has nothing at all to do with the giant portal. That page, which loads in an iframe, opens other malicious sites which push the infection", he said.
Brandt asserts that the list of affected sites is global, including a newspaper in Florida; the English-language page of a government's Ministry of Women's Affairs site; and the site of a Spanish lawyer's association.
According to Brandt,, clickers are an odd sort of adware in that they don't actually display the ads they load on the infected computer.
"Selling you junk you don't need is not in the business plan. Instead, a clicker simply loads dozens to hundreds of web pages per minute silently, in the background, in an attempt to manufacture fraudulent 'clicks' on online ads", he said.
"Criminals can make money for themselves by signing up as advertising affiliates, then using the clickers to drive infected machines to load their pay-per-click ads. Unscrupulous companies also can use clickers to load the ads from a competitor company, which can prematurely expend the victim company's pay-per-click ad budget", he added.
The Webroot researcher says that there is good reason to get rid of clickers quickly, as they have a nasty habit of 'casually' visiting websites hosting other drive-by download exploits, which can force even more malware onto an already infected computer.
"They also consume a tremendous amount of bandwidth in the furtherance of their activities, which can slow to a crawl an infected PC's ability to surf the web", he said.