Hundreds of compromised Wordpress and Joomla websites are serving up malware to visitors
Researchers see a spike in compromised domains attempting to deliver malicious payloads including Shade ransomware and phishing links
Websites built on two of the most popular content management systems used in publishing are being hacked and exploited to deliver ransomware and other malware to visitors.
Cyber criminals are exploiting vulnerabilities in plug-ins, themes and extensions on Wordpress and Joomla sites and using them to serve up Shade ransomware and other malicious content.
Researchers at security company Zscaler have detailed how attackers are using a hidden directory on HTTPS for malicious purposes. This well-known directory is commonly used by website owners to demonstrate ownership of the domain to the certificate authority that scans for code to recognise that the domain is validated.
However, by using exploits to gain access to these hidden pages, attackers can use them to hide malware and other malicious content from website administrators.
Over the past few weeks, researchers have spotted a spike of threats stowed away in the hidden directory, with Shade ransomware – also known as Troldesh – the most common threat deployed in this way.
Over 500 websites have been compromised and thousands of attempts have been made to drop ransomware, phishing links and other malicious content.
Meanwhile, phishing pages are hosted under SSL-validated hidden directories and pop-up in an effort to fool the potential victim into handing over their usernames and passwords.
It's not known who is behind the cyber-criminal campaign, but Zscaler is working to inform the owners of the websites about the attacks. The full list of Indicators of Compromise is available in the analysis of the attack.