- Researchers find more than 150,000 compromise websites
- The websites transported malicious software that superimposed them with malicious destination pages
- Web administrators are advised to audit their code
C / SIDE security researchers recently reported a large website diversion campaign, in which actors in the anonymous threat have taken more than 35,000 websites and used them to redirect visitors to malicious pages and even serve them malware.
Now, a month later, the team said that the campaign had been even more extensive and now compromises 150,000 websites.
C / Side believes that the campaign is linked to the exploit of megalayer, because it is known to distribute malicious software in Chinese, contains the same domain models and the same obscure tactics.
Open redirection
While the method has changed slightly and is now delivered with a “slightly altered interface”, the essential is still the same, because the attackers use Iframe injections to display a complete superposition in the visitor’s browser.
Superimpositions show either legitimate betting sites usurped or false playing pages.
C / Side has not detailed who are the attackers, apart from saying that they could be linked to the exploit of megalayer.
The attackers are probably Chinese because they come from the regions where the Mandarin is common, and because the final destination pages present game content under the Kaiyun brand.
They also did not discuss how the threat actors managed to compromise these tens of thousands of websites, but once the attackers had access, they used it to inject a malicious script from a list of websites.
“Once the script is loaded, it completely diverts the user’s browser window – often redirecting them towards pages promoting a game platform (or casino) in Chinese,” the researchers explained in the previous report.
To alleviate the risk of taking control of the website, C / Side indicates that web administrators should audit their source code, block malware or use firewall rules for Zuizhongjs[.]com, p11vt3[.]VIP and associated subdomains.
It would also be wise to keep an eye on newspapers for outgoing unexpected requests to these areas.
