Once the criminals gain access, they inject a Web shell into an existing plugin by utilizing the Theme Editor. The shell is leveraged to create a subfolder to which a WordPress installation package is uploaded. After obtaining the MySQL credentials from the wp-config.php or configuration.php files, depending on whether the site is Joomla or WordPress-based, the attacker is able to install their own theme and make a fully operational Web site.
These sites represent "doorways" that point unsuspecting visitors to malicious domains. Experts discovered around 3,000 compromised Web sites that stored such doorway blogs. Reportedly, some of the blogs that advertise slimming and luxury goods were created in March 2012, but there were a few created 1 year ago. The hijacked sites also host phishing pages that try to trick users into disclosing online banking credentials and other sensitive data.