While investigating a cyber incident, security researchers found that one of their client's websites was injected with a potential malware created using a more complex form of obfuscation to evade detection. As per the website owner, when visitors click anywhere on the infected WordPress website, it redirects them to a spam web page 'hxxps[:]//1[.]guesswhatnews[.]com/not-a-robot/index[.]html', that was found to be resolved to an IP address 'https[:]//urlscan[.]io/ip/45[.]133[.]44[.]20', which is employed by a shady ad network mainly used for adult websites. During the investigation, it is found that the malicious JavaScript was injected into random plugin files on the compromised website. Analysts also detected that the injected PHP code further injects the decoded contents of _inc.tmp (found in the same plugin directory) into the header section of the site’s WordPress pages. Later, the script adds a listener to the whole page’s onclick event, hence, whenever a site visitor clicks on any link, it changes the link to 'hxxps[:]//1[.]guesswhatnews[.]com/not-a-robot/index[.]html?var=siteid&ymid=clickid&rc=0&mrc=3&fsc=0&zoneid=1947429&tbz=1947431'. According to researchers, this malware also performs some checks such as checkByImageMethod, checkDevByScreenResize, detectDevByKeyboard, checkByFirebugMethod, checkByProfileMethod on the infected sites. In addition, the script does not do anything if it detects any open Developer Tools to avoid detection, and then, the redirect will stop working, also making it difficult for researchers to detect malicious behavior. Further, PublicWWW, a search engine for source code, disclosed that at least 170 websites were infected with this piece of malware.
Frontier Communications, a prominent U.S. telecom provider, is in the process of restoring its systems following a cyberattack that targeted some of its IT infrastructure. The brea...
The U.S. food and agriculture sector experienced 167 ransomware attacks in 2023, positioning it as the seventh most targeted industry in the nation. Notable companies such as Dole,...
Michigan healthcare provider Cherry Street Services (Cherry Health) is alerting over 180,000 individuals about a recent data breach stemming from a ransomware attack. The incident,...