WordPress Database Upgrade Phishing Campaign

WordPress Database Upgrade Phishing Campaign

We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update and looks like this: The email’s appearance resembles that of a legitimate WordPress update message, however the content includes typos and uses an older messaging style. Another ... Read More
Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

This August, we’ve seen a new massive wave of WordPress infections that redirect visitors to unwanted sites. When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA images. The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose ... Read More
Fake Plugins with Popuplink.js Redirect to Scam Sites

Fake Plugins with Popuplink.js Redirect to Scam Sites

Since July, we’ve been observing a massive WordPress infection that is responsible for unwanted redirects to scam and ad sites. This infection involves the tiny.cc URL shortener, a fake plugin that has been called either “index” or “wp_update”, and a malicious popuplink.js file. Infected pages typically have these two scripts ... Read More
RawGit CDN is Abused by CryptoLoot Cryptominers

RawGit CDN is Abused by CryptoLoot Cryptominers

Recently, we came across another way to use files from GitHub repositories in malware infections. This time the infections weren’t via GitHub.io, raw.githubusercontent.com, or github.com/<user>/<repository>/raw/ URLs. The new trick involved a third-party service called RawGit that provides a CDN for GitHub files. This is the script that we found injected ... Read More
CoinImp Cryptominer and Fully Qualified Domain Names

CoinImp Cryptominer and Fully Qualified Domain Names

We are all familiar with the conventional domain name notation, where different levels are concatenated with the full stop character (period). E.g. “www.example.com”, where “www” is a subdomain, “example” is a second level domain, and “com” is a top level domain. However, very few know that there is also a ... Read More
Massive localstorage[.]tk Drupal Infection

Massive localstorage[.]tk Drupal Infection

After a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one: Massive #Drupal infection that redirects to "Tech Support" scam via "js.localstorage[.]tk" https://t.co/30ZeLIyfza pic.twitter.com/ZCPMepM74k — Denis (@unmaskparasites) April 24, 2018 … with over a thousand compromised sites ... Read More
From Baidu to Google’s Open Redirects

From Baidu to Google’s Open Redirects

Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages. It didn’t last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple ... Read More
Unwanted Ads via Baidu Links

Unwanted Ads via Baidu Links

The malware attack that began as an installation of malicious Injectbody/Injectscr WordPress plugins back in February has evolved since then. Some of the changes were documented asUpdates at the bottom of the original blog post, however, every week we see minor modifications in the way they obfuscate the scripts or ... Read More
GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers

GitHub Hosts Infostealers Part 2: Cryptominers and Credit Card Stealers

A few days ago, we reported that hacked Magento sites had been pushing infostealing malware under the disguise of Flash player updates. In this post, we’ll reveal how this recent attack is related to an extremely hot topic – cryptocurrencies and cryptomining. Infostealer Analysis The malware binary files we found ... Read More
GitHub Hosts Infostealer

GitHub Hosts Infostealer

A few months ago, we reported on how cybercriminals were using GitHub to load a variety of cryptominers on hacked websites. We have now discovered that this same approach is being used to push binary “info stealing” malware to Windows computers. Infected Magento Sites Recently, we identified hundreds of infected ... Read More
Loading...