Malware Bytes researchers have identified a new pattern in attacks on Joomla sites. Compromised sites have a link injected in them that appears to load social sharing buttons, but actually delivers malware to users' computers using the Angler exploit kit. In this blog post, we'll look at how the attack works, what makes it unique, and how to check whether your site is affected.
1) A Joomla site has to be compromised by hackers in order to implement the attack. This is typically done by attacking a Joomla installation that is not up to date and has known vulnerabilities or by guessing the administrator password.
Jerome Segura of Malware Bytes noted, "If you are a website owner, it is critical that you maintain your platform up-to-date to avoid being used as a springboard for malware. All cases we saw with this campaign were sites that were outdated and breached via automated attacks."
4) In the example, the Malware Bytes researchers listed the effect of the attack as delivering malware that initiated ad fraud where compromised visitor computers are used to manipulate online advertisement impressions and clicks. The goal of this is typically to either run up the ad costs of competitors or to make it appear as if certain advertising campaigns are doing better than they actually are. However, this is just one of a variety of possible nasty effects that a visitor who is hacked through the Joomla site might experience.
This attack is noteworthy for a couple of reasons:
As you can see, this is a very sneaky way to sabotage a Joomla site in order to harm to its users.
If you discover your site has been compromised, it's worth reviewing the article posted by Malware Bytes, Fake Social Button Plug-In Redirects to Angler EK, for more information. Additionally, our guide on How to Fix a Hacked Joomla Site is a good resource to get started in recovering from this attack.
This kind of attack is being executed not only on Joomla sites, but WordPress sites as well. At some point in using the Internet, you are likely to come across a compromised site that is trying to implement a similar attack. The best defense is to have up-to-date software and common security applications installed (antivirus, firewall, etc.) There are several popular vendors for this type of software in a simple web search will provide you with lots of options (including Malware Bytes.)