Since early September 2022, a malicious cyber operation has hijacked thousands of websites aimed at East Asian audiences and redirected visitors to adult-themed content.
The operation involves injecting malicious JavaScript code into the hacked websites and often connecting to the target web server using legitimate FTP credentials that the threat actor previously obtained through an unknown method.
Despite the breached websites being owned by both small firms and multinational corporations, utilizing different tech stacks and hosting service providers, a majority of them are either hosted in China or primed for Chinese users.
The URLs hosting the rogue JavaScript code are geofenced to limit its execution in certain East Asian countries.
The threat actor’s identity is unknown, and their precise motives have yet to be identified, but it is suspected that they intend to carry out ad fraud and SEO manipulation, or alternatively, drive inorganic traffic to these websites.
There are also indications that the campaign has set its sights on Android, with the redirection script leading visitors to gambling websites that urge them to install an app with an APK package name “com.tyc9n1999co.coandroid.”
Notably, the attacks do not involve phishing, web skimming, or malware infection.
Cloud security company Wiz noted that the fact that the breached websites utilize different tech stacks and hosting service providers has made it difficult to trace a common attack vector.
Additionally, the researchers Amitai Cohen and Barak Sharoni said that they remain unsure as to how the threat actor has been gaining initial access to so many websites and have yet to identify any significant commonalities between the impacted servers other than their usage of FTP.
Despite the attack’s apparent low sophistication, it is still unclear whether the threat actor is using a 0-day vulnerability.
