Cloud security startup Wiz has discovered a redirection campaign affecting thousands of websites targeting East Asian audiences, with at least 10,000 compromised since September 2022.
Attackers have used legitimate FTP credentials, including highly secure auto-generated ones, to redirect visitors to adult-themed content. The injected tags result in a JavaScript script being downloaded and executed on the website visitors’ machines.
In some cases, the website administrators removed the malicious redirection, only to notice that it reappeared shortly after.
The JavaScript redirection code checks for specific conditions before redirecting the visitor to the destination website, including a probability value, a cookie set on the victim’s machine, whether the visitor is a crawler, and whether or not they are using Android.
The goal of the campaign, Wiz says, could be ad fraud or SEO manipulation, but it is also possible that the attackers are simply looking to increase traffic to the destination websites.
The cybersecurity startup has identified numerous servers associated with this campaign, which serve JavaScript variations that show numerous similarities, suggesting they are tightly linked, if not part of the same activity.
Wiz is unsure how the threat actor has been gaining initial access to so many websites and has yet to identify any significant commonalities between the impacted servers other than their usage of FTP.
Although it’s unlikely that the threat actor is using a zero-day vulnerability given the apparently low sophistication of the attack, this option cannot be ruled out.
The attack could have other nefarious activities, and the cybersecurity startup recommends being vigilant and taking necessary measures to secure their websites.
