Over 269,000 websites were hacked to redirect visitors to scams and malware, putting PC users and businesses at risk.
A major cyberattack has compromised over 269,000 websites and resulted in them secretly redirecting visitors to malicious content. The threat actors behind the attack achieved this by injecting harmful code into these websites. This code was then activated when someone visited the site through a search engine. The objective was to funnel victims towards fake tech support scams, malicious downloads, and phishing scams.
With such a huge number of websites involved, this attack poses a major risk to your business. Ophtek doesn’t want you to fall victim to this, so we’re going to highlight the mechanics of the attack and how you can stay safe.
How Were the Websites Compromised?
Researchers from Palo Alto Networks recently uncovered this new campaign and have dubbed it JSFireTruck. At the heart of the attack is a heavily disguised JavaScript payload. This code is deliberately scrambled using only symbols like brackets, plus signs, and dollar signs. The main reason for limiting the code to these specific symbols is to make it difficult for automated tools to detect it.
Once the malicious code is injected into a website, it sits there silently, waiting for visitors. Once traffic is detected on the website, the code is designed to activate – however, it’s only activated when these visitors have been forwarded via search engine results. The malware begins by fingerprinting the visitor’s device and gathering data about their browser type, language, OS, and other system details. This ensures that the attackers can tailor their attack to a specific visitor and remain undetected.
If the visitor satisfies all the requirements of a JSFireTruck target, the script quietly redirects them to another site. Typically, this site will pose as a legitimate CAPTCHA page. After performing the necessary action to verify themselves, targets are then forwarded onto a malicious site. These sites may ask them to contact a fake technical support helpline, or they may insist that the user downloads some software to repair their PC. There have also been some isolated reports of users being sent to phishing sites which attempt to steal personal or business data.
3 Tips to Stay Safe from These Attacks
What makes this attack especially dangerous is that it uses genuine websites as the starting point. Therefore, a user may be searching quite innocently for something relating to their PC – such as software documentation or a firmware update – and be deceived into unleashing malware on their PC. Luckily, Ophtek knows how to keep you and your IT infrastructure safe, so we’re going to share our 3 top tips with you:
- Keep Your Software Updated: always make sure all your web browsers, plugins, and security tools are regularly updated to patch known vulnerabilities exploited by these types of attacks.
- Use Secure DNS and Web Filtering: it’s important that you use security tools which can analyze web traffic and block malicious redirects. These can help catch and block compromised pages before your employees land on them.
- Educate Your Employees: train staff to be cautious with unexpected CAPTCHAs, urgent messages to perform an action, or downloads. And this doesn’t just apply to dubious websites, even genuine websites – as the JSFireTruck attack has demonstrated – can be home to malicious activities.
For more ways to secure and optimize your business technology, contact your local IT professionals.
