Over the past week we have seen a new Blackhat SEO technique emerge to exploit vulnerabilities in the popular WordPress blog software. Two of the sites we identified were TheWorkBuzz.com, a website owned and operated by Career Builder (CareerBuilder.com), and The Center for International Media Assistance, an initiative of the National Endowment for Democracy (NED.org). Just like last week’s attack against Ford Motor, these scams work by misleading search engines to falsely promote malicious pages to the top of the search results. When a user visits one of the malicious sites, they are duped into downloading fake antivirus software.
Both attacks involve a vulnerability in an older version of WordPress, which allows the /wp-includes/ folder of the software to house thousands of malicious redirectors. Exact details of the specific vulnerability are not yet known, but we have contacted both site owners and the security team at WordPress to get clarification.
In the first case involving the Center for International Media Assistance website, we uncovered over 13,330 words used in the Blackhat SEO attack. We took all the terms and threw them into a Tag Cloud generator to see how they were targeting the CIMA viewers. Here’s what we found:
Song – Appeared 1303 times
Software – Appeared 879 times
Free – Appeared 244 times
Lyrics – Appeared 210 times
Cyber-criminals have chosen Rogue Anti-Malware as their primary method of payment because it has become easier for them to make money by affiliate systems and utilizing these types of attacks. It’s no wonder why we have seen more Rogue detections in the first quarter of 2009 then all of 2008. As you can see from the chart below, PandaLabs predicts that incidents of rogue AV scams will grow 100 percent quarter over quarter through the end of Q3.
Remember, It's just as important to update your web applications as it is to update your operating system. If you use WordPress as a platform for your blog or website, then I recommend viewing the official hardening guide.