Looking for a date in time for Valentine’s Day? If you’re using Tinder, be careful when swiping right. Cybersecurity researchers discovered security flaws in the popular dating app that could allow hackers to discover users’ private data and personal preferences, like the photos of users they’ve swiped right or left on. In other cybersecurity news, a cybercrime “conglomerate” named Zirconium has been found responsible for the largest malvertising operation of 2017. Using a network of 28 fake ad agencies, Zirconium strategically placed ads that led users to malicious websites pushing scams or fake software updates. The campaigns were so successful – and so sneaky – that they generated 1 billion ad views in 2017.
Category: Malvertising / Malicious Redirect
Trend Identified: 5/17/2017
CVE ID: N/A
Trend Name: Trend El Mirage
Vector: Application Vulnerability, Multiple
MEDIUM: The vector used to infect websites appears to be through the use of leaked compromised passwords.
HIGH: This infection provides complete control of the target website, including database content.
HIGH: This infection provides the adversary administrator-level access to impacted website applications, making total data loss a possibility.
This infection impacts WordPress sites across all versions, but the affected websites identified at this time all show evidence of recent infection by a fake WordPress plugin that performed malicious redirects as well. The previous infections were determined to have been distributed via a botnet using a database of leaked login credentials, suggesting this new attack may similarly be accessing sites via compromised WordPress administrator credentials.
The code as it appears in the injected files is obfuscated, which means it’s written in a way that makes it difficult for humans to read. This is the malicious script as it appears in the affected files:
After decoding this file, we are able to determine the specifics of how it behaves:
Fortunately, despite the nature of these redirects, no malicious activity has been identified in the advertisements themselves, meaning a system infection occurring after these redirects is unlikely.
Because the attack vector of this infection appears to be leaked login credentials from unrelated data breaches, it is very important to ensure that strong password policies are in place on your site. Avoid using the same password across multiple locations to prevent one service’s breach from exposing your accounts elsewhere. If you determine that your data has been part of a publicized breach, change your passwords immediately. Also, consider using a breach checker to identify if your email address has been associated with any public data breaches in the past, as this would be a major indicator that password changes will be necessary for your accounts.
If you are a website owner and you believe your website has been impacted by this infection, contact SiteLock as soon as possible at 855.378.6200. Our SMART scan began rapidly identifying and cleaning instances of this infection within 24 hours of being initially identified.