WordPress Flaw Leads Readers Digest Fans to Angler EK

Security researchers are warning of a spike in WordPress compromises designed to load the notorious Angler Exploit Kit.

Malwarebytes senior security researcher, Jérôme Segura, explained in a blog post that Readers Digest is one of the high profile victims of the attack campaign.

“The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit,” he continued.

“Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern (see IOCs below for some examples).”

He urged netizens who have visited the Readers Digest site recently to check that they haven’t been infected.

“The payload we observed at the time of capture was Bedep, which loaded Recurs, a backdoor Trojan, but that of course can change from day to day,” explained Segura.

Unfortunately Malwarebytes hadn’t received any feedback from the publisher, despite claiming to have contacted it several days before publishing the blog post.

The news comes around a month after the firm warned of another campaign targeted at WordPress sites linked to the Angler EK.

The blog of UK newspaper The Independent was among the sites affected.

“The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page,” wrote Segura at the time.

“It is important to stress this is a conditional injection because webmasters trying to identify the issue may not see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit).”

The code in question loads a Flash video file designed to redirect users to Angler EK—a similar attack pattern to that apparently observed by Malwarebytes a year ago.

WordPress is frequently targeted by hackers because it provides a good RoI for attackers looking to reach as wide a group of potential victims as possible.

Photo © Rawpixel.com

What’s Hot on Infosecurity Magazine?