Security experts found many compromised WordPress and Joomla Web sites used by spammers to advertise sketchy diet pills and counterfeit luxury goods. The owners of these sites are most likely unaware of what is going on. Web masters often fail to check their sites’ subdirectories for signs of malicious files and Web pages, thus allowing cybercriminals to use the domain’s reputation to host their scams. Attackers often brute-force administrator passwords to gain access to a site’s back end.
Once the criminals gain access, they inject a Web shell into an existing plugin by utilizing the Theme Editor. The shell is leveraged to create a subfolder to which a WordPress installation package is uploaded. After obtaining the MySQL credentials from the wp-config.php or configuration.php files, depending on whether the site is Joomla or WordPress-based, the attacker is able to install their own theme and make a fully operational Web site.
These sites represent "doorways" that point unsuspecting visitors to malicious domains. Experts discovered around 3,000 compromised Web sites that stored such doorway blogs. Reportedly, some of the blogs that advertise slimming and luxury goods were created in March 2012, but there were a few created 1 year ago. The hijacked sites also host phishing pages that try to trick users into disclosing online banking credentials and other sensitive data.
