Malicious hackers have been exploiting thousands of legitimate websites since at least December 2017 in a sophisticated campaign that has disguised malware as fake software updates.
Security researchers at MalwareBytes report that they have uncovered evidence of thousands of compromised websites running popular content management systems (CMS) such as SquareSpace, WordPress and Joomla.
Having injected malicious code into a website by exploiting unpatched or vulnerable CMS installations, a typical attack will see visiting users greeted by an authentic-looking message inviting them to install an update for their Chrome or Firefox browser or – if they are running Internet Explorer – install a patch for Adobe Flash.
Ultimately, the intention is to install malware onto the targeted computer. In some instances seen by researchers, this is the Chthonic banking malware; on other occasions, it’s trojanised remote access applications that act as backdoors.
Unlike many other attacks seen on the internet, the “FakeUpdates” campaign goes to great efforts to avoid drawing attention to itself.
As Ars Technica reports, the attack limits itself to displaying the fake update notification only once per IP address.
There’s no doubting that this is a sophisticated operation, especially when one considers for how long the FakeUpdates campaign has successfully compromised websites.
But whereas the attack itself is sophisticated, what’s clear is that there has been little sophistication shown by those tasked with defending networks. Bad security practices have made it easier for this malware campaign to succeed.
Thousands of websites have become infected for the very simply reason that they were poorly protected. System administrators responsible for the security of websites need to prioritize patching of both (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/thousands-compromised-websites-spreading-malware-via-fake-updates/