From PCWorld India
The MO is to target, compromise and harvest legitimate Wordpress sites using bought-in credentials, even exploiting newsletters from these sites to spread drive-by malware links. From this, users with vulnerable browsers or software (Java, Reader, Flash) of the sort that can be hit by exploit kits to infect machines using droppers in chosen geographical locations.
What the attackers are after is online banking logins, which form half the business, and PCs that can be sold on to other criminals as compromised machines inside interesting organisations. These can also then be used a proxies for third-party attacks.
They seem keen to protect this nice little business, going to some lengths to regenerate different pieces of the attack chain every time anti-virus engines have started to detect it.
Link to Original Source