Although we don’t have an exact number of sites that are affected, we surmise that it is in the thousands.įigure 6: A partial list of compromised sites Squarespace We were able to identify several hundred compromised WordPress and Joomla websites even after a small iteration through the list. We wrote a simple crawler to browse a list of sites and then parsed the results.
#Fake google chrome update 2018 code#
The image below shows a beautified version of the code injected in the CMS platforms, whose goal is to call the redirection URL:įigure 5: Injected code responsible for the redirection The additional blurb of code is responsible for the next chain of events that loads the fraudulent layer onto the website you are visiting. Some commonly injected files include the jquery.js and caption.js libraries where code is typically appended and can be spotted by doing a comparison with a clean copy of the same file.įigure 4: Diffing a clean and suspicious copy of the same library WordPress and Joomlaīoth WordPress and Joomla sites that were hacked bear the same kind of injection within their CMS’ JavaScript files.įigure 2: A Compromised WordPress site pushing a fake Google Chrome updateįigure 3: A Compromised Joomla site pushing a fake Mozilla Firefox update It is possible that attackers used the same techniques to build their inventory of compromised sites but we do not have enough information to confirm this theory. Several of the websites we checked were outdated and therefore vulnerable to malicious code injection. This campaign affects multiple Content Management Systems (CMS) in somewhat similar ways. The update file is not an executable but rather a script which is downloaded from DropBox, a legitimate file hosting service, as can be seen in the animation below.įigure 1: A typical redirection to the ‘FakeUpdates’ scheme from a hacked site Today, we are looking at what we call the ‘FakeUpdates campaign’ and describing its intricate filtering and evasion techniques. One of the earliest examples we could find was reported by BroadAnalysis on December 20, 2017. More recently, there has been a campaign affecting Magento websites that also pushes fake updates (for the Flash Player) which delivers the AZORult stealer by abusing GitHub for hosting. The patterns are also somewhat reminiscent of EITest’s HoeflerText campaign where hacked websites are scrambled and offer a font for download. Similar techniques were used by a group leveraging malvertising on high traffic websites such as Yahoo to distribute ad fraud malware. Its modus operandi relies on social engineering users with fake but convincing update notifications. A malware campaign which seems to have started at least since December 2017 has been gaining steam by enrolling a growing number of legitimate but compromised websites.