Jérôme Segura, a well-known malware intelligence analyst, says that compromised websites contained an encoded piece of code, which typically was placed in the HTML header. Alternatively, the code would include a code that points to a Javascript code set externally. In several scenarios, the script lies in the “wp_posts” table in the WP database. Interestingly, there is no code obfuscation. Representatives from Sucuri labs say that location of the malware varies, and that common versions of the virus are in .js files containing jquery in their names. Experts also add that scammers can compromise WordPress websites via outdated plugins, a common and probably the main security flaw in WP websites. Some of the targets they named were very old tagDiv themes (NewsMag, NewsPaper, others) and unpatched Smart Google Code Inserter plugin.
Fraudsters come up with new ideas since Google started banning fake tech support ads
The new attack wave rolled out soon after Google’s announcement to strictly restrict advertisements by third-party tech support providers. The tech giant took such measures to lower the number of fraudsters in the tech support market. Therefore, tech support scammers now aim at legitimate websites and try to advertise by illegally injecting codes in reputable sites. They may also attempt to exploit legitimate advertising platforms to present themselves as trustworthy service providers. The attackers promote traditional fake support pages urging the victim to call for support immediately. Usually, the deceptive pop-up includes such and similar lines: Additionally, experts point out that scammers have fired shots not only at website users but also at advertisers. According to Jérôme Segura’s report to Bleeping Computer, scammers are “pushing ads for some geolocations as well as user agents.” He also notices malicious campaigns that reroute victims to sites injecting CoinHive JavaScript miner. These sites then use the victim’s computer’s resources to mine Monero cryptocurrency until the malicious page is closed. Please call us within the next 5 minutes…
