284,000 WordPress sites hacked? Probably not.


This Amazon order confirmation email is a fake.

Every link leads to malware.  Every link (there are 8 in this example – similar to this attack) leads to a different compromised WordPress site.  And they all seem to be using one of the most common WordPress theme directory – check out the links:

  • http://maximconsulting.us/wp-content/themes/twentyten/—e.html
  • http://hampsteadelectrician.com/wp-content/themes/twentyten/—e.html
  • http://mormonwomenvoices.com/wp-content/themes/twentyten/—e.html
  • http://steppingstones-online.co.uk/wp-content/themes/twentyten/—e.html
  • etc.

Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order.  A Google search tells us that there are 284,000 sites with a similar structure.

Of course this does not indicate an issue with the theme itself.  Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself.  Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it.

The malware targets known Adobe Reader and Acrobat exploits.


Go back