Cyphort Labs spotted a new Angler Exploit campaign that has already infected at least 19 websites.
The campaign uses the bootstrapcdn.org redirector to send users to malicious payloads hosted on .co.uk websites, according to a May 17 blog post.
Cyphort Senior Director Threat Operations Nick Bilogorskiy said in the post the campaign started on May 9 and primarily infected web-based forums but has also infected the website of a credit union in Texas and the site of remote desktop program.
It’s unclear how any of the sites were infected but researchers believe it may have been done via SQL injection or by compromising the FTP accounts of the sites and directly editing the HTML code, Bilogorskiy told SCMagazine.com, noting that it’s possible more sites have been impacted.
He said that several of the compromised forum sites ran VBulletin and attackers may have used vulnerabilities in the software to carry out the attacks.
“I think these websites were not targeted for any particular reason,” Bilogorskiy said. “They just happened to have weak security that allowed their compromise.”
To avoid infection, Bilogorskiy recommended users avoid infected websites, patch their browsers and applications and use a comprehensive security solution with behavioral detection.
Cyphort said it has reached out to the owners of the infected sites but has yet to hear back from them.