Malicious hackers have been exploiting thousands of legitimate websites since at least December 2017 in a sophisticated campaign that has disguised malware as fake software updates. Security researchers at MalwareBytes report that they have uncovered evidence of thousands of compromised websites running popular content management systems (CMS) such as SquareSpace, WordPress and Joomla. Having injected malicious code into a website by exploiting unpatched or vulnerable CMS installations, a typical attack will see visiting users greeted by an authentic-looking message inviting them to install an update for their Chrome or Firefox browser or - if they are running Internet Explorer - install a patch for Adobe Flash. Ultimately, the intention is to install malware onto the targeted computer. In some instances seen by researchers, this is the Chthonic banking malware; on other occasions, it's trojanised remote access applications that act as backdoors. Unlike many other attacks seen on the internet, the "FakeUpdates" campaign goes to great efforts to avoid drawing attention to itself. As Ars Technica reports, the attack limits itself to displaying the fake update notification only once per IP address. Furthermore, malicious JavaScript attempts to detect if is being run inside a virtual environment or sandbox ,which may indicate that the malware is being run on an analyst's computer. There's no doubting that this is a sophisticated operation, especially when one considers for how long the FakeUpdates campaign has successfully compromised websites. But whereas the attack itself is sophisticated, what's clear is that there has been little sophistication shown by those tasked with defending networks. Bad security practices have made it easier for this malware campaign to succeed. Thousands of websites have become infected for the very simply reason that they were poorly protected. System administrators responsible for the security of websites need to prioritize patching of both the CMS itself and any plugins and add-ons their websites use as well as ensure that they are configured properly. Minimizing the number of third party plugins can dramatically reduce the size of the attack surface that hackers can target, thereby providing less opportunities for malicious code to be injected into a site. Similarly, websites that run online adverts have to be careful what advertising companies they partner with to minimize the chances of malvertising sneaking onto their webpages. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
