Cyber criminals trick victims into downloading malware (opens in a new tab) telling them that their browsers are outdated and need to be updated to display the content of the page.
Avast cybersecurity researchers Jan Rubin and Pavel Novak discovered a phishing campaign in which an unknown malicious actor compromised over 16,000 hosted WordPress and Joomla sites. (opens in a new tab)websites with weak login credentials.
These are usually adult content websites, personal websites, college sites, and local government pages.
After accessing these sites, attackers usually set up a Traffic Direction System (TDS), Parrot TDS. A TDS is a web portal that redirects users to various content, depending on certain parameters. This allows attackers to deploy malware only to endpoints (opens in a new tab) that are considered a good target (poor cybersecurity measures, for example, or specific geographic locations).
Those who receive the message to “update” their browser will actually receive a Remote Access Trojan (RAT) called NetSupport Manager. It provides the attacker with full access to the target endpoint.
“Traffic directing systems act as a gateway for the delivery of various malicious campaigns via infected sites,” said Jan Rubin, malware researcher at Avast. “At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed through Parrot TDS, but more malicious activities may be carried out through the TDS in the future.”
Besides being powered by WordPress or Joomla, these websites have very little in common, which is why researchers believe they were chosen for their weak passwords.
“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites, so we suspect that weak login credentials were exploited to infect the sites with malicious code,” said said Pavel Novak, ThreatOps analyst at Avast, “The robustness of Parrot TDS and its immense reach make it unique.