Fake DDoS protection pages on WordPress sites serve as malware


A group of hackers is using fake DDoS protection pages to trick unsuspecting users into installing malware, according to GoDaddy-owned cybersecurity firm Sucuri.

Hackers hijack sites built with WordPress to show fake DDoS protection pages. Visitors to these sites see a pop-up posing as a Cloudflare DDoS protection service. But once they click on the prompt, the popup downloads a malicious ISO file in their PC.

The attack exploits how DDoS protection pages sometimes appear on websites you try to visit, with the aim of preventing bots and other malicious web traffic from bombarding the website and disabling the service. Visitors must complete a CAPTCHA test to prove they are human.

Fake DDoS Attack Protection Page

(Credit: Sucuri)

In this case, the hackers serve the fake DDoS protection pages by adding a line of JavaScript code in the hacked WordPress sites. “Since these types of browser checks are so common on the web, many users would not hesitate to click this prompt to access the website they are trying to visit,” the Sucuri security researcher wrote. , Ben Martin.(Opens in a new window) in a blog post.

Specifically, fake DDoS protection pages will download a file called “security_install.iso” onto the victim’s computer. The WordPress site will then show an additional popup asking the user to install the ISO file to get a verification code.

Picture Sucuri

(Credit: Sucuri)

“What most users don’t realize is that this file is actually a remote access Trojan, currently reported by 13 security vendors.(Opens in a new window) at the time of this writing,” Martin said. This means that the Trojan can pave the way for a hacker to take control of a victim’s computer remotely.

Recommended by our editors

According to antivirus vendor Malwarebytes, the ISO file is actually malware called Netsupport RAT (Remote Access Trojan), which has been used in ransomware attacks. The same malware can also install RacoonStealer(Opens in a new window)which is capable of recovering passwords and other user credentials from an infected PC.

The incident is a reminder to be on guard when your PC’s browser downloads a mysterious file, even from a seemingly legitimate web security service. “Malicious actors will take any avenue at their disposal to compromise computers and push their malware onto unsuspecting victims,” ​​Martin added.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.","first_published_at":"2021-09-30T21:22:09.000000Z","published_at":"2022-03-24T14:57:33.000000Z","last_published_at":"2022-03-24T14:57:28.000000Z","created_at":null,"updated_at":"2022-03-24T14:57:33.000000Z"})" x-show="showEmailSignUp()" class="rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs">

Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.


Comments are closed.