Thousands of hacked sites infect visitors' computers with malware



    The other day it became known that a team of attackers hacked several thousand different sites by downloading malware onto servers. This is done in order to infect user PCs when their owners visit a compromised resource. Hacks were not carried out yesterday, the campaign was carefully disguised, and was carried out at least a few months ago.

    Mostly the resources on such CMS as WordPress, Joomla and SquareSpace were amazed. Information about the incident was provided by information security specialist Jerome Segura, who works at Malwarebytes. Hackers, he said, acted quite prudently. Infected sites showed visitors messages about the need to install an update for Firefox, Chrome or Flash.

    In order to avoid detection, each IP from which fake notifications were sent was used no more than once for one visitor. In addition, notification templates were uploaded to the servers of hacked sites, so most of the data came from a “white” resource that was not entered into any of the phishing or dangerous databases for other reasons.

    Interestingly, those who agreed to the update and clicked on the message automatically became victims of a malicious JavaScript file downloaded from DropBox. This script later searched for the presence of signs of a virtual machine or “sandbox”, and if nothing of the kind was found, then the download of the final malware, an executable file signed with a valid digital certificate, began.

    Such tactics yielded good results - few people were suspicious of the notification (let's not forget that most users are not information security specialists at all), so the virus infected thousands of systems. And by the way, the JavaScript file was obfuscated, so its analysis by conventional methods is difficult. In addition to it, attackers used such software as the banking malware Chthonic and the depleted version of NetSupport - this is generally a “white” application that in normal situations gives remote access to the user's system.


    This is how the process of “updating” the browser looked

    Specialists from Malwarebytes could not determine exactly how many websites the attackers were able to compromise. Representatives of the company wrote a special spider script that, according to certain signs, “understood” the presence of infection and informed the creators about it. In particular, he showed that hundreds of Wordpress and Joomla sites are infected. You can check it yourself by this simple request . There is an assumption that the malware distribution campaign was launched no later than December 20 last year. Attackers were able to infect resources whose servers or CMS were not updated.

    The attack itself was very well thought out, and therefore attracted the attention of information security specialists. Attackers managed to trick many defense systems that usually block this kind of attack.

    By the way, owners sometimes “hack” their own sites. For example, some of them add a crypto miner code in order to earn some money. This is called crypto-jacking - discreet cryptocurrency mining on the computers of site visitors. In such a scheme of earnings there is nothing to worry about if it were not for one “but”.

    First, in most cases, visitors are simply not notified that cryptocurrencies will now be mined on their computers. The most interesting thing is that even the owners of online stores, resources that by default should be devoid of third-party advertising or monetization schemes, install the Coinhive crypto jacking script. At the end of 2017, Coinhive was installed on several thousand e-commerce sites.

    In fairness, I must say that many online stores are still hacked, and their owners do not know anything about crypto jacking. Moreover, a study by Willem de Grot showed that in 80% of cases not only the Coinhive script is installed on these resources, but also various malware for skimming - copying the details of bank payment cards of store customers.

    Also popular now: