Collaborate Disseminate
Sucuri malware analyst Kaushal Bhavsar recently brought our attention to a massive campaign responsible for adding either “1800ForBail” or “1800ForBail – One+Number” keywords to the titles of vulnerable WordPress sites.
1… Continue reading Massive 1800ForBail WordPress Hacks
This blog post talks about how a web spam campaign that targets only one country may create problems for sites owners around the world — even if their site is not hacked.
It all began with a pretty regular sample of an infected WordPress index.p… Continue reading Korean Gambling and Call Girl Spam on Hacked and Non-hacked Sites
Although the majority of sites we work on are powered by PHP, we still have clients whose sites use other programming languages.
The other day we cleaned an ASP site where we found a web.config file (the ASP.NET version of .htaccess) with these instru… Continue reading Replica Spam on Poorly Maintained ASP Site
In the past couple of years, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into WordPress sites.
This campaign leverages old vulnerabilities (patched a long time ago) found in a variety of outdated theme… Continue reading From .tk Redirects to PushKa Browser Notification Scam
After recent publication of the Uncommon Radixes Used in Malware Obfuscation article, we found an interesting Twitter thread involving @EKFiddle and @Ledtech3
#EKFiddle [Regex update]: Added Radix Web Skimmer identified by @unmaskparasites (https://t…. Continue reading More on Dnsden[.]biz Swipers and Radix Obfuscation
Some JavaScript features allow for pretty interesting obfuscation techniques. For example, did you know that virtually any English word can be used as a valid number?
I recently decoded a credit card stealing script injected at the bottom of a js/vari… Continue reading Uncommon Radixes Used in Malware Obfuscation
Recently we came across a malicious campaign injecting scripts that push fake browser updates onto site visitors.
This is what a typical fake update request looks like:
Users see a message box that says it’s an “Update Center” for yo… Continue reading Fake Browser Updates Push Ransomware and Bank Malware
Over the last few months, we’ve noticed several credit card-stealing scripts that use variations of the Google Analytics name to make them look less suspicious and evade detection by website owners.
The malicious code is obfuscated and injected … Continue reading Google Analytics and Angular in Magento Credit Card Stealing Scripts
Credit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the v… Continue reading Localization and Customization of Credit Card Stealing Malware
Last Friday, we reported on a hack that used a vulnerability in the popular WP GDPR Compliance plugin to change WordPress siteurl settings to erealitatea[.]net. At that time it was not clear who was behind the massive attack, since the erealitatea[.]n… Continue reading Hackers Change WordPress Siteurl to Pastebin