Hackers hijack adult websites to infect victims with malware

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Cybercriminals are tricking victims into downloading malware by telling them their browsers are outdated and need to be updated in order to view the contents of the page.

Avast cybersecurity researchers Jan Rubin and Pavel Novak uncovered a phishing campaign in which an unknown threat actor compromised more than 16,000 WordPress and Joomla hosted websites with weak login credentials.

These are usually adult content websites, personal websites, university sites, and local government pages

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> <a href="https://project.tolunastart.com/s/Cy37RiA" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

Parrot TDS

After gaining access to these sites, the attackers would tpically set up a Traffic Direction System (TDS), Parrot TDS. A TDS is a web-based gate that redirects users to various content, depending on certain parameters. That allows the attackers to deploy malware only on the endpoints that are deemed a good target (poor cybersecurity measures, for example, or specific geographic locations).

Those that get the message to “update” their browser, will actually be served a Remote Access Trojan (RAT) called NetSupport Manager. It provides the attacker with a full access to the target endpoint.

“Traffic Direction Systems serve as a gateway for the delivery of various malicious campaigns via the infected sites,” said Jan Rubin, malware researcher at Avast. “At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed via Parrot TDS, but other malicious activity could be performed in the future via the TDS." 

Besides being powered by either WordPress or Joomla, these websites have very little in common, which is why the researchers believe they were chosen for their weak passwords.

“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites. We therefore suspect weak login credentials were taken advantage of to infect the sites with malicious code,” said Pavel Novak, ThreatOps Analyst at Avast. “The robustness of Parrot TDS and its huge reach make it unique.”

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.