{"id":13400,"date":"2018-09-20T10:10:05","date_gmt":"2018-09-20T18:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/09\/20\/news-7167\/"},"modified":"2018-09-20T10:10:05","modified_gmt":"2018-09-20T18:10:05","slug":"news-7167","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/09\/20\/news-7167\/","title":{"rendered":"Mass WordPress compromises redirect to tech support scams"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 20 Sep 2018 17:42:47 +0000<\/strong><\/p>\n

Content Management Systems (CMSes) such as WordPress, Drupal, or Joomla are under a constant barrage of fire. Earlier this year, we detailed several waves of attacks against Drupal, also known as Drupalgeddon<\/a>, pushing browser-based miners and various social engineering threats.<\/p>\n

During the past few days, our crawlers have been catching a larger-than-usual number of WordPress sites being hijacked. One of the most visible client-side payloads we see are redirections to tech support scam pages. Digging deeper, we found that this is part of a series of attacks that have compromised thousands of WordPress sites since early September.<\/p>\n

Multiple injections<\/h3>\n

The sites that are affected are running the WordPress CMS and often using outdated plugins. We were not able to figure out whether this campaign was made worse by the exploitation of a single vulnerability, although the recent RCE for the Duplicator plugin<\/a> came to mind. Our friends over at Sucuri believe this is a combination of multiple vectors<\/a>.<\/p>\n

Threat actors inject vulnerable sites in different ways. For example, on the client-side we see one large encoded blurb, usually in the HTML headers tag, and a one liner pointing to an external JavaScript.\u00a0Website owners are also reporting<\/a> malicious code within the wp_posts table of their WordPress database.<\/p>\n

\"\"<\/a><\/p>\n

The domain examhome[.]net<\/em> had a recent whois change (2018-09-16) and interesting nameservers:<\/p>\n

1a7ea920.bitcoin-dns[.]hosting  a8332f3a.bitcoin-dns[.]hosting  ad636824.bitcoin-dns[.]hosting  c358ea2d.bitcoin-dns[.]hosting<\/pre>\n
The redirection flow shows further use of encoding to load mp3menu[.]org<\/em> with a whois updated on 2018-09-15 and the following nameservers:<\/p>\n
a8332f3a.bitcoin-dns[.]hosting  ad636824.bitcoin-dns[.]hosting<\/pre>\n
\"\"<\/a><\/p>\n
That .TK URL pattern is well known and has been documented in detail<\/a>\u00a0as part of a large Traffic Distribution System (TDS) responsible for massive redirections to browlock pages. Note the custom mouse cursor (the “Evil cursor”), which we reported on recently<\/a>, has yet to be patched.<\/p>\n
\"\"<\/a><\/p>\n
Scope and mitigations<\/h3>\n
The number of WordPress sites that have been compromised is increasing in the last few days, suggesting that these are ongoing campaigns.<\/p>\n
\"\"<\/a><\/p>\n
Website owners affected by these attacks will have to perform a thorough cleanup of injected pages, databases, and backdoors. More importantly, they will need to identify the root cause of the compromise, which often times is an outdated WordPress installation or plugin.<\/p>\n
\"\"<\/a><\/p>\n
Malwarebytes users running our browser extension<\/a> are protected against the tech support scam pages without any need for signature updates.<\/p>\n
Indicators of compromise<\/h3>\n
137.74.150.112,examhome[.]net,Examhome Campaign (URI)  37.139.5.74,mp3menu[.]org,Examhome Campaign (URI)  23.163.0.39,ejyoklygase[.]tk,TK TSS Browlock (URI)    Injected blurb (partial):  String.fromCharCode(118, 97, 114, 32, 115, 111, 109    From Sucuri Labs:  ads.voipnewswire[.]net\/ad.js  cdn.allyouwant[.]online\/main.js?t=c<\/pre>\n
The post Mass WordPress compromises redirect to tech support scams<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 20 Sep 2018 17:42:47 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Thousands of WordPress sites have been injected with the same malicious redirection. We review the infection details and the malicious traffic leading to browser lockers.<\/p>\n
Categories: <\/p>\n