Some Amazon order confirmation emails have been reported as fakes.
Every link leads to malware. Every link (there are 8 in this example – similar to this attack) leads to a different compromised WordPress site. And they all seem to be using one of the most common WordPress theme directory – check out the links:
- http://maximconsulting.us/wp-content/themes/twentyten/—e.html
- http://hampsteadelectrician.com/wp-content/themes/twentyten/—e.html
- http://mormonwomenvoices.com/wp-content/themes/twentyten/—e.html
- http://steppingstones-online.co.uk/wp-content/themes/twentyten/—e.html
- etc.
Notice a trend? – The evil redirect html file (—e.html) is located in the “twentyten” theme directory of all of these sites – and all of the sites we checked in every other version of the phony Amazon order. A Google search tells us that there are 284,000 sites with a similar structure.
Of course this does not indicate an issue with the theme itself. Chances are that the exploit that has allowed hackers to take over these sites is in a plugin or maybe (less likely) the CMS itself. Using the “twentyten” directory is a safe bet for a hacking script since almost every WordPress installation will have it.
The malware targets known Adobe Reader and Acrobat exploits.