M86 Security Labs researchers came across around four hundred of these sites.
Using a clever strategy, the masterminds that run this scheme didn’t compromise the sites’ main page, instead they hid a malicious HTML page to the Uploads folder so it wouldn’t be detected to easily.
Since they’re using the compromised sites only to bypass URL reputation mechanisms, spam filters and other security policies, they’re not relying on regular users to visit the infected pages, instead they send out spam emails containing a link to the webpage that serves the exploit kit.
Websense described these emails not long ago, reporting that they’re designed to confuse the recipient and determine him to click on the link without giving it too much thought.
“Hello! Look, I’ve received an unfamiliar bill, have you ordered anything? [LINK] Please reply as soon as possible, because the amount is large and they demand the payment urgently,” reads the malicious message.
Once the link is clicked, the user, that at this stage becomes a victim, is taken to the compromised site redirecting to a Russian domain where the exploit is hosted.
The Phoenix Exploit Kit probes for vulnerabilities in Internet Explorer, Adobe Reader, Flash and Java, these being the applications that users fail to update most often.
An interesting observation made by the experts is that the exploit kit is not designed to target Google Chrome customers. For no obvious reason, the source code is written in a way to make sure that those who utilize Chrome are excluded.
Security solutions providers are keeping close tabs on these malicious elements, but to make sure they’re protected, users are advised never to click on suspicious links that come in suspicious emails.