Cybercriminals are tricking victims into downloading malware (opens in new tab) by telling them their browsers are outdated and need to be updated in order to view the contents of the page.
Avast cybersecurity researchers Jan Rubin and Pavel Novak uncovered a phishing campaign in which an unknown threat actor compromised more than 16,000 WordPress and Joomla hosted (opens in new tab)websites with weak login credentials.
These are usually adult content websites, personal websites, university sites, and local government pages
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
After gaining access to these sites, the attackers would tpically set up a Traffic Direction System (TDS), Parrot TDS. A TDS is a web-based gate that redirects users to various content, depending on certain parameters. That allows the attackers to deploy malware only on the endpoints (opens in new tab) that are deemed a good target (poor cybersecurity measures, for example, or specific geographic locations).
Those that get the message to “update” their browser, will actually be served a Remote Access Trojan (RAT) called NetSupport Manager. It provides the attacker with a full access to the target endpoint.
“Traffic Direction Systems serve as a gateway for the delivery of various malicious campaigns via the infected sites,” said Jan Rubin, malware researcher at Avast. “At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed via Parrot TDS, but other malicious activity could be performed in the future via the TDS."
> Major WordPress update will make amateurs look like master web developers (opens in new tab)
> WordPress plugin exposes half a million sites to attack (opens in new tab)
> WordPress plugin vulnerability exposed millions of websites to attack (opens in new tab)
Besides being powered by either WordPress or Joomla (opens in new tab), these websites have very little in common, which is why the researchers believe they were chosen for their weak passwords.
“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites. We therefore suspect weak login credentials were taken advantage of to infect the sites with malicious code,” said Pavel Novak, ThreatOps Analyst at Avast. “The robustness of Parrot TDS and its huge reach make it unique.”
- No perimeter is totally secure without state-of-the-art firewalls (opens in new tab)