A group of hackers has been using fake DDoS-protection pages to trick unsuspecting users into installing malware, according to GoDaddy-owned cybersecurity firm Sucuri.
Hackers are hijacking sites built with WordPress to display the fake DDoS-protection pages. Those who visit these sites see a pop-up that masquerades as a Cloudflare DDoS-protection service. But once they click the prompt, the pop-up will download a malicious ISO file to their PC.
The attack exploits how DDoS-protection pages will sometimes appear on websites you try to visit, in a bid to stop bots and other malicious web traffic from bombarding the website and taking the service down. Visitors are required to solve a CAPTCHA test to prove they’re human.
In this case, the hackers serve up the fake DDoS-protection pages by adding a line of JavaScript code into the hijacked WordPress sites. “Since these types of browser checks are so common on the web many users wouldn’t think twice before clicking this prompt to access the website they’re trying to visit,” Sucuri security researcher Ben Martin wrote(Opens in a new window) in a blog post.
Specifically, the fake DDoS-protection pages will download a file called “security_install.iso” to the victim’s computer. The WordPress site will then serve up an additional pop-up window that asks the user to install the ISO file to obtain a verification code.
“What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors(Opens in a new window) at the time of writing this article,” Martin said. This means the trojan can pave a way for a hacker to remotely take over a victim’s computer.
According to antivirus provider Malwarebytes, the ISO file is actually
Read more on pcmag.com