A criminal group has seized control of 25,000 Unix servers since 2011, forcing them to send out more than 35 million malware-laden spam messages per day, according to security researchers at ESET.
ESET uncovered the campaign, which is codenamed Operation Windigo, during a joint operation with the German Bund Computer Emergency Response Team (CERT) and the Swedish National Infrastructure for Computing (SNIC) agency.
The attack reportedly used advanced malware designed to target the Unix servers. The malware let the hackers take control of the servers and use them to infect visitors to sites hosted on them with data-stealing code. The popular cPanel and Linux Foundation sites are confirmed victims of the Windigo hackers.
ESET security researcher Marc-Étienne Léveillé said: "Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control.
"Over 35 million spam messages are being sent every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."
Léveillé added that the malware used reacts differently to Mac and Windows systems. Sites under Windigo's command reportedly only attempt to infect Windows machines and simply redirect Mac users to non-malicious dating sites and iPhone users to pornographic webpages.
Léveillé said the advanced nature of the malware means victims will have to wipe infected systems and reinstall their operating systems and software from scratch.
"We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks," he said.
"Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems – potentially putting more internet users in the firing line."
Using legitimate websites to spread malware is an increasingly common tactic within cyber criminal groups. Researchers at security firm Sucuri uncovered a similar campaign that had hijacked more than 162,000 legitimate WordPress sites earlier in March.