Skip to main content

Fake antivirus exploit found on 30,000 (mostly WordPress) sites

Fake antivirus exploit found on 30,000 (mostly WordPress) sites

/

A piece of malware that masquerades as antivirus software has been found on 200,000 web pages over 30,000 sites, many of them using WordPress software.

Share this story

A piece of malware that masquerades as antivirus software has been found on 200,000 web pages or almost 30,000 unique sites, says computer security group Websense. The exploit, which mostly affects sites built with WordPress, places a short piece of injected code at the bottom of a page:

8475_ru_5f00_nn_5f00_1_png_medium

When a user loads the page, they're redirected to a page in the .rr.nu top-level domain that mimics a Windows security scan, then asks them to download a malicious program to supposedly clear viruses from their computer. It's a scam that's been running in various forms for years, and Websense says it's been tracking this particular threat for several months.

Although the source of the malware is unknown, over 85 percent of the affected sites are from the United States, and Sucuri Security has traced many of the cases to old WordPress installs, weak passwords, or vulnerable and malicious plugins. The exploit isn't as widespread as something like DNSChanger, and so far the reports we've seen have been for smaller sites. However, for anyone who runs WordPress software, it's something to watch out for.