Most websites use a CMS (Content Management System) engine like Joomla or WordPress. The problem is that few engines are regularly updated by users because they can break custom themes and plug-ins.
Malwarebytes lead malware intelligence analyst Jerome Segura found that thousands (we venture millions) of CMS based websites had malicious code injected that creates pop-ups. The malicious code affects Joomla, WordPress, Squarespace, Open Journal and pretty well any home-grown CMS database driven system.
These pop-ups urge you to install the latest version of Adobe Flash Player, or update your browser, or offer some other entirely plausible reason to click on the pop-up. This, in turn, installs anything from malvertising to extremely bad malware.
The malware code is in a seemingly benign Dropbox folder
A visible symptom of an infection is a Dropbox link. It then uses WScript.Network and WMI to collect system information (BIOS, manufacturer, architecture, MAC address, processes, etc.) to decide to continue with the payload or end the script without delivering it.
If it proceeds, the malware loads into the %temp% folder. You may at this point be asked to allow it to make changes to the computer via a comprehensive Signature Information screen purporting to be from Microsoft or other reputable company. Again, a sure sign of infection.
Malwarebytes says it’s a complex piece of social engineering. You trust the site you are visiting, it looks like an official message and your antivirus/malware software has not detected an issue (because there is not one yet).
Malwarebytes has started to block known infected websites and command and control domains.
GadgetGuy’s take – malware is getting so much smarter. Now its CMS driven
This is a classic case of ‘whack-a-mole’ – the more you hit the mole, the more that pop-up. In fact, I read an interesting article that both the bad guys and the good guys are using Artifical Intelligence now to create and stop malware. Those with the best AI will win.
This is about ‘drive-by-shooting’ where an infected website loads some code to your PC that makes you think you need to do something. The answer is don’t do a damned thing.