The campaign is named after of the domain used by the attackers, Sucuri Founder and CTO Daniel Cid said in a July 6 Sucuri blog post.
Once infected, the malware redirects victims to the Neutrino Exploit kit which attempts to exploit the user’s browser, using either browser-specific or Flash and PDF reader vulnerabilities, to unload the CryptXXX ransomware.
Researchers have seen an influx of new compromised sites every day over the last two weeks.
Using limited resources, researchers were able to detect 2,000 sites that have been infected over the last two weeks however, researchers assume the real number of infected sites is at least 10,000, according to the post.
Researchers said 60 percent of the affected websites are running outdated Joomla and WordPress software and that 90 percent of sites are on a CMS that researchers were able to fingerprint.
“From this data I would say that the attacker is likely targeting a common vulnerabilities across either platform, and the updated instances are likely residual affects of being in the same environment,” Cid said.
On July 3, Google started blacklisting sites with the realstatistics[.]pro code but by then bad guys had managed to infect a security site.
Cid said The PCI Policy Portal has been infected for days and has since been blacklisted by both Google and Norton.
Researchers recommend that owners of at risk sites clean up their sites and patch anyu issues that might contribute to the attack vector.