Cybercriminals trick victims into downloading malware (opens in new tab) Tell them that their browser is outdated and needs to be refreshed to see the content of the page.
Avast cybersecurity researchers Jan Rubin and Pavel Novak uncovered a phishing campaign in which over 16,000 hosted WordPress and Joomla sites were compromised by unknown attackers (opens in new tab) Websites with weak login credentials.
These are typically adult content websites, personal websites, university sites, and local government pages.
Parrot TDS
After gaining access to these sites, attackers typically set up a traffic direction system (TDS), Parrot TDS. TDS is a web-based gate that redirects users to different content depending on certain parameters.This allows attackers to deploy malware only to endpoints (opens in new tab) Anything that is considered a suitable target (such as poor cybersecurity measures or a specific geographic location).
Anyone who receives a message to “refresh” their browser is actually provided with a Remote Access Trojan (RAT) called NetSupport Manager. This gives the attacker full access to the target’s endpoint.
Jan Rubin, Malware Researcher at Avast, said: “Currently, a malicious campaign called ‘FakeUpdate’ (also known as SocGholish) is being distributed through his Parrot TDS, but other malicious activity could be carried out through the TDS in the future. there is potential.”
In addition to using either WordPress or Joomla, the researchers believe the websites had little in common and were chosen for their weak passwords.
“The only thing these sites have in common is that they are WordPress and sometimes Joomla sites. We suspect it will,” said Pavel Novak, ThreatOps Analyst at Avast. “The Parrot TDS’ robustness and its massive reach are unmatched.”
