A group of hackers is using fake DDoS protection pages to trick unsuspecting users into installing malware, according to GoDaddy-owned cybersecurity firm Sucuri.
Hackers hijack sites built with WordPress to show fake DDoS protection pages. Visitors to these sites see a pop-up posing as a Cloudflare DDoS protection service. But once they click on the prompt, the popup downloads a malicious ISO file in their PC.
The attack exploits how DDoS protection pages sometimes appear on websites you try to visit, with the aim of preventing bots and other malicious web traffic from bombarding the website and disabling the service. Visitors must complete a CAPTCHA test to prove they are human.
Specifically, fake DDoS protection pages will download a file called “security_install.iso” onto the victim’s computer. The WordPress site will then show an additional popup asking the user to install the ISO file to get a verification code.
“What most users don’t realize is that this file is actually a remote access Trojan, currently reported by 13 security vendors.(Opens in a new window) at the time of this writing,” Martin said. This means that the Trojan can pave the way for a hacker to take control of a victim’s computer remotely.
Recommended by our editors
According to antivirus vendor Malwarebytes, the ISO file is actually malware called Netsupport RAT (Remote Access Trojan), which has been used in ransomware attacks. The same malware can also install RacoonStealer(Opens in a new window)which is capable of recovering passwords and other user credentials from an infected PC.
The incident is a reminder to be on guard when your PC’s browser downloads a mysterious file, even from a seemingly legitimate web security service. “Malicious actors will take any avenue at their disposal to compromise computers and push their malware onto unsuspecting victims,” Martin added.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.