Select Page

Cyren Security Blog

284,000 WordPress sites hacked? Probably not.

This Amazon order confirmation email is a fake.

Every link leads to malware. Every link (there are 8 in this example – similar to this attack) leads to a different compromised WordPress site. And they all seem to be using one of the most common WordPress theme directory – check out the links:

  • http://maximconsulting.us/wp-content/themes/twentyten/—e.html
  • http://hampsteadelectrician.com/wp-content/themes/twentyten/—e.html
  • http://mormonwomenvoices.com/wp-content/themes/twentyten/—e.html
  • http://steppingstones-online.co.uk/wp-content/themes/twentyten/—e.html
  • etc.

Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order. A Google search tells us that there are 284,000 sites with a similar structure.

Of course this does not indicate an issue with the theme itself. Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself. Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it.

The malware targets known Adobe Reader and Acrobat exploits.

You might also like

Square Enix Phishing Campaign

From July 20 until August 16, 2021, Cyren observed a significant increase in the number of Square Enix phishing URLs. The campaign coincided with 14 days of free play announced by Square Enix on July 12, 2021. During this period, we detected a total of 47,076 URLs for...