Mar 22, 2024NewsroomWeb Security / Vulnerability

A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.

The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week.

The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.

The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a VexTrio-operated traffic distribution system (TDS) but only if certain criteria are met.

What’s more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registered a few days prior to their use in attacks.

“One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc.,” security researcher Ben Martin said. “If the referrer does not match to these major sites, then the malware will not execute.”

Site visitors are then taken to other scam sites by executing another JavaScript from the same server.

The Sign1 campaign, first detected in the second half of 2023, has witnessed several iterations, with the attackers leveraging as many as 15 different domains since July 31, 2023.

It’s suspected that WordPress sites have been taken over by means of a brute-force attack, although adversaries could also leverage security flaws in plugins and themes to obtain access.

“Many of the injections are found inside WordPress custom HTML widgets that the attackers add to compromised websites,” Martin said. “Quite often, the attackers install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin.”

This approach of not placing any malicious code into server files allows the malware to stay undetected for extended periods of time, Sucuri said.

More than 8,000 subdomains belonging to legitimate brands and institutions have been hijacked as part of a sophisticated distribution architecture for spam proliferation and click monetization.

Guardio Labs is tracking the coordinated malicious activity, which has been ongoing since at least September 2022, under the name SubdoMailing. The emails range from “counterfeit package delivery alerts to outright phishing for account credentials.”

The Israeli security company attributed the campaign to a threat actor it calls ResurrecAds, which is known to resuscitate dead domains of or affiliated with big brands with the end of manipulating the digital advertising ecosystem for nefarious gains.

“‘ResurrecAds’ manages an extensive infrastructure encompassing a wide array of hosts, SMTP servers, IP addresses, and even private residential ISP connections, alongside many additional owned domain names,” security researchers Nati Tal and Oleg Zaytsev said in a report shared with The Hacker News.

In particular, the campaign “leverages the trust associated with these domains to circulate spam and malicious phishing emails by the millions each day, cunningly using their credibility and stolen resources to slip past security measures.”

These subdomains belong to or are affiliated with big brands and organizations such as ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Symantec, The Economist, UNICEF, and VMware among others.

The campaign is notable for its ability to bypass standard security blocks, with the entire body conceived as an image to evade text-based spam filters, clicking which initiates a series of redirections through different domains.

“These redirects check your device type and geographic location, leading to content tailored to maximize profit,” the researchers explained.

“This could be anything from an annoying ad or affiliate link to more deceptive tactics like quiz scams, phishing sites, or even a malware download aimed at swindling you out of your money more directly.”

Another crucial aspect of these emails is that they are also capable of circumventing Sender Policy Framework (SPF), an email authentication method that’s designed to prevent spoofing by ensuring a mail server is authorized to send email for a given domain.

It’s not just SPF, as the emails also pass DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) checks that help prevent messages from being marked as spam.

In one example of a deceptive cloud storage warning email highlighted by Guardio, the message originated from an SMTP server in Kyiv, yet was flagged as being sent from Return_UlKvw@marthastewart.msn.com.

A closer examination of the DNS record for marthastewart.msn.com revealed that the subdomain is linked to another domain (msnmarthastewartsweeps[.]com) with that CNAME record, an aliasing technique that has been previously weaponized by advertising technology companies to get around third-party cookie blocking.

“This means that the subdomain inherits the entire behavior of msnmarthastewartsweeps[.]com , including its SPF policy,” the researchers said. “In this case, the actor can send emails to anyone they wish as if msn[.]com and their approved mailers sent those emails!”

It’s worth pointing out here that both the domains were legitimate and briefly active at some point in 2001, before they were left in an abandoned state for 21 years. It wasn’t until September 2022 when msnmarthastewartsweeps[.]com was privately registered with Namecheap.

In other the hijacking scheme entails the threat actors constantly scanning for long-forgotten subdomains with dangling CNAME records of abandoned domains and then registering them to take control of them.

CNAME-takeover can also have serious consequences when such reputed subdomains are seized to host bogus phishing landing pages designed to harvest users’ credentials. That said, there is no evidence that any of the hijacked subdomains have been used for this purpose.

Guardio said it also found instances where the DNS SPF record of a known domain holds abandoned domains associated with defunct email- or marketing-related services, thereby allowing attackers to grab ownership of such domains, inject their own IP addresses into the record, and ultimately send emails on behalf of the main domain name.

In an effort to counter the threat and dismantle the infrastructure, Guardio has made available a SubdoMailing Checker, a website that enables domain administrators and site owners to look for signs of compromise.

“This operation is meticulously designed to misuse these assets for distributing various malevolent ‘Advertisements,’ aiming to generate as many clicks as possible for these ‘ad network’ clients,” the researchers said.

“Armed with a vast collection of compromised reputable domains, servers, and IP addresses, this ad network deftly navigates through the malicious email propagation process, seamlessly switching and hopping among its assets at will.”

Jan 03, 2024NewsroomVoIP Service / Regulatory Compliance

The U.S. Department of Justice (DoJ) on Tuesday said it reached a settlement with VoIP service provider XCast over allegations that it facilitated illegal telemarketing campaigns since at least January 2018, in contravention of the Telemarketing Sales Rule (TSR).

In addition to prohibiting the company from violating the law, the stipulated order requires it to meet other compliance measures, including establishing a process for screening its customers and calling for potential illegal telemarketing. The order, which also imposes a $10 million civil penalty judgment, has been suspended due to XCast’s inability to pay.

“XCast provided VoIP services that transmitted billions of illegal robocalls to American consumers, including scam calls fraudulently claiming to be from government agencies,” the DoJ said in a press release.

These calls delivered prerecorded marketing messages, most of which were sent to numbers listed on the National Do Not Call Registry. To make matters worse, a majority of the calls falsely claimed to be affiliated with government entities or contained outright false or misleading information in an attempt to deceive victims into making purchases.

For instance, some of the calls claimed to be from the Social Security Administration and threatened to cut off a recipient’s utility service unless immediate payments were made. In other cases, consumers were urged to act promptly to reverse bogus credit card charges.

As part of the proposed settlement, XCast has been ordered to cut ties with firms that do not adhere to the U.S. telemarketing laws.

The U.S. Federal Trade Commission (FTC), in a statement, said the Los Angeles-based company did nothing despite being warned several times that illegal robocallers were using its services.

“The order permanently bars XCast Labs from providing VoIP services to any company with which it does not have an automated procedure to block calls that display invalid Caller ID phone numbers or that are not authenticated through the FCC’s STIR/SHAKEN Authentication Framework,” the FTC said.

The development comes as the FTC announced a ban on Response Tree from making or assisting anyone else in making robocalls or calls to phone numbers on the Do Not Call Registry.

The complaint accused the Californian company of operating more than 50 websites, such as PatriotRefi[.]com, AbodeDefense[.]com, and TheRetailRewards[.]com, which used manipulative dark patterns to “trick consumers into providing their personal information for supposed mortgage refinancing loans and other services.”

The defendants then allegedly sold the collected information of hundreds of thousands of consumers to telemarketers who used them to make millions of illegal telemarketing calls, including robocalls, to consumers across the country.