According to Internet Storm Center, Joomla and WordPress sites are targeted and malicious iFrames are being hosted. The ISC notes that servers hosting such sites are not being targeted through any specific vulnerability but, some kind of tool is being used to fire a bunch of exploits with a hope that something hits the bull’s-eye.
“…it doesn't seem to be a scanner exploiting one vulnerability but some tool that's basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits”, states ISC.
Once exploited these servers are in turn infecting users’ systems with fake AV software through the use of an exploit kit. The URLs ending with /nighttrend.cgi?8 as noted by ISC, have been known to serve such malware. A couple of IP addresses 220.127.116.11 and 18.104.22.168 have been also identified as culprits as of now.
Use if traffic distribution system has also been noticed whereby iframes are being redirected to IPs hosting the exploit kit through the Sutra Traffic Distribution System. Symantec wrote about such attacks back in 2011 whereby it noted that even though TDS was an old concept, such systems are being increasingly used to not only buy and sell web traffic but, also deliver exploits.