Cybercriminals are tricking victims into downloading malware (opens in new tab) by telling them their browsers are outdated and need to be updated in order to view the contents of the page.
Avast cybersecurity researchers Jan Rubin and Pavel Novak uncovered a phishing campaign in which an unknown threat actor compromised more than 16,000 WordPress and Joomla hosted (opens in new tab)websites with weak login credentials.
These are usually adult content websites, personal websites, university sites, and local government pages
Parrot TDS
After gaining access to these sites, the attackers would tpically set up a Traffic Direction System (TDS), Parrot TDS. A TDS is a web-based gate that redirects users to various content, depending on certain parameters. That allows the attackers to deploy malware only on the endpoints (opens in new tab) that are deemed a good target (poor cybersecurity measures, for example, or specific geographic locations).
Those that get the message to “update” their browser, will actually be served a Remote Access Trojan (RAT) called NetSupport Manager. It provides the attacker with a full access to the target endpoint.
“Traffic Direction Systems serve as a gateway for the delivery of various malicious campaigns via the infected sites,” said Jan Rubin, malware researcher at Avast. “At the moment, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed via Parrot TDS, but other malicious activity could be performed in the future via the TDS.”
Besides being powered by either WordPress or Joomla, these websites have very little in common, which is why the researchers believe they were chosen for their weak passwords.
“The only thing the sites have in common is that they are WordPress and in some cases Joomla sites. We therefore suspect weak login credentials were taken advantage of to infect the sites with malicious code,” said Pavel Novak, ThreatOps Analyst at Avast. “The robustness of Parrot TDS and its huge reach make it unique.”