The Black Hole exploit kit is really becoming a serious pain in the neck for people trying to use the Internet. At some point, it may become easier to start a list of the URLs that aren’t hosting the exploit kit, rather than the ones that are. For the time being, the latest entry in the latter category is a group of thousands of WordPress blogs that have been compromised and are now redirecting visitors to sites serving the Black Hole exploit kit.
The ongoing attack is using a combination of tactics to compromise the WordPress blogs. Researchers at Avast found that attackers have been using stolen or guessed FTP credentials on the servers that host the blogs in order upload a malicious PHP file. That file will download other malicious code. The attackers also are exploiting a known vulnerability in the TimThumb image resizing utility used on many blogs to upload the malicious code.
Once the code is on a compromised site, as visitors hit the site the code will generate iframes that will redirect users to a remote site that is hosting the Black Hole kit.