Thousands of hacked websites are infecting visitors with malware (unusually advanced campaign)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Unusually advanced campaign infects people visiting a variety of poorly secured sites.

Thousands of hacked websites have become unwitting participants in an advanced scheme that uses fake update notifications to install banking malware and remote access trojans on visitors' computers, a computer researcher said Tuesday.

The campaign, which has been running for at least four months, is able to compromise websites running a variety of content management systems, including WordPress, Joomla, and SquareSpace. That's according to a blog post by Jérôme Segura, lead malware intelligence analyst at Malwarebytes. The hackers, he wrote, cause the sites to display authentic-appearing messages to a narrowly targeted number of visitors that, depending on the browsers they're using, instruct them to install updates for Firefox, Chrome, or Flash.
To escape detection, the attackers fingerprint potential targets to ensure, among other things, that the fake update notifications are served to a single IP address no more than once. Another testament to the attackers' resourcefulness: the update templates are hosted on hacked websites, while the carefully selected targets who fall for the scam download a malicious JavaScript file from DropBox. ... ... ...
 
F

ForgottenSeer 69673

I was at my chiropractor today and heard him talking about they had computer problems and remembered this thread.
When I try going to their website All I see is a page saying A new Wordpress site coming soon and a button that shows Admin Login. This is kinda odd to me.
 
D

Deleted member 65228

Use a Virtual Machine. Revert back with a snapshot after each usage session and/or after the browsing session before doing something else on the VM.

You can use a sandbox but some are weaker than others and even with a virtualization-based sandbox, a VM will be more flexible IMO.
 
F

ForgottenSeer 69673

Use a Virtual Machine. Revert back with a snapshot after each usage session and/or after the browsing session before doing something else on the VM.

You can use a sandbox but some are weaker than others and even with a virtualization-based sandbox, a VM will be more flexible IMO.

Not sure what you are saying. You think I am infected or my back cracks site?
 
  • Like
Reactions: vtqhtr413
D

Deleted member 65228

Not sure what you are saying. You think I am infected or my back cracks site?
No no, I was saying about the original post as general advice.

If you have good enough system resources and can afford to do it then you're better off using a Virtual Machine in general and reverting via a snapshot after each session (and in case of a browser exploit you may not have been aware was even deployed, revert with a snapshot after each browsing session should you continue with VM usage).

That way you'll keep your host environment clean and healthy anyway. There's still precautions of course like making sure when backing up content from a session that it hasn't been tampered with by a potential infection even in the environment, or BadUSB deployment on removable media you're using, etc... But overall a VM will be safer when used generally speaking IMO.

If you want to step it up, unless you need Windows on your host, you could use Linux based OS on your host and Windows in the VM you'd be using mainly. That'd make it trickier for Guest -> Host exploitation as well, since the attacker would need to be prepared for the Host to be Linux even though deployment would be carried out on the Windows environment, requiring preparation and flexibility.
 
Last edited by a moderator:
F

ForgottenSeer 69673

I am sorry but I do use a bootable Kubuntu USB. but my question was about my Doctor and Wordpress.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
The good old Sandboxie could help here (please remember that Edge doesn't work under Sandboxie).
As long as the Requirements are met, Windows 10 Pro users shouldn't need to worry too much - some limitations.
Announcing WDAG in PRO SKU - Microsoft Tech Community - 133395 - For Spring Creators Update?

Maybe they are fixing / updating it.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Excellent Topic! Anyone that ever uses the term "Safe Surfing" should be referred to it. The issue here is that although one may assume a given website is Safe this may not be the case at all.

When I was posted to Paris Station a number of years ago there was a major Automaker whose website was hacked (ftp credentials stolen). For those that downloaded a spec sheet on a popular Model were instead served up malware. These people could have had no reasonable expectation that this would occur.

And regarding the use of just a VM for surfing- unless a person uses 1 VM for every website, the use of an outbound alerting firewall is essential in order to protect against info-stealers.
 
D

Deleted member 65228

And regarding the use of just a VM for surfing- unless a person uses 1 VM for every website, the use of an outbound alerting firewall is essential in order to protect against info-stealers.
There's also Site Isolation features in Google Chrome/alike for other browsers which can be useful in the case of web-based exploitation for a vulnerability like Spectre (vulnerabilities which can be used to leak memory of the browser processes from local JavaScript for example).
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
There's also Site Isolation features in Google Chrome/alike for other browsers which can be useful in the case of web-based exploitation for a vulnerability like Spectre (vulnerabilities which can be used to leak memory of the browser processes from local JavaScript for example).

How do you enable and use that feature? My PC is vulnerable to Spectre forever.
 
D

Deleted member 65228

Oh okay. What is this feature do?
Every single web-page you visit at once on the session is contained under its own process, and each of those processes have their own Chromium sandbox container.

Let's say that Spectre was exploited on your environment whilst the Site Isolation feature is enabled and the exploitation was from a JavaScript script loaded locally from an untrusted website you've just been redirected to, the Site Isolation feature should protect the memory of the other tabs because they are hosted under their own processes (the web-pages from other tabs) along with their own sandbox container. It helps prevent leak memory for other tabs data in the event of such web-based exploitation (as a starter example).

Read more: Site Isolation - The Chromium Projects
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
Every single web-page you visit at once on the session is contained under its own process, and each of those processes have their own Chromium sandbox container.

Let's say that Spectre was exploited on your environment whilst the Site Isolation feature is enabled and the exploitation was from a JavaScript script loaded locally from an untrusted website you've just been redirected to, the Site Isolation feature should protect the memory of the other tabs because they are hosted under their own processes (the web-pages from other tabs) along with their own sandbox container. It helps prevent leak memory for other tabs data in the event of such web-based exploitation (as a starter example).

Read more: Site Isolation - The Chromium Projects

So if I have 3 tabs open which are A, B, and C. If tab A exploits Spectre vulnerability, the Site Isolation feature enable on Google Chrome will prevent tab A affect tab B and C and my PC?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top