News

Hackers Attacked Thousands of Asian Websites and Redirected Users to Adult Websites

Wiz experts have discovered a malicious campaign that was active since September 2022, in which hackers attacked thousands of sites in Asia.

Let me remind you that we also wrote that Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia, and also that Chinese Hack Group Aoqin Dragon Has Been Quietly Attacking Companies Since 2013.

Also the media reported that Cyber-Espionage Group Worok Attacks Asian Governments and Companies.

At least 10,000 sites targeting an East Asian audience have been hacked and are now redirecting visitors to adult sites.

The hacked sites belong to either to small firms and or multinational corporations, all using different technology stacks and hosting, making it difficult to spot a common attack vector. One of the few “common denominators” is that most of the compromised resources are hosted in China or in another country, but are targeted at Chinese users.

Attackers inject malicious JavaScript into hacked sites, often connecting to the target web server using real FTP credentials. And how exactly the attackers get them, the experts failed to find out.

In many cases, these were strong auto-generated FTP credentials, but the attackers were somehow able to get their hands on them and use them to take over the site.the researchers say.

The report also notes that URLs hosting malicious JavaScript are restricted to specific geofences so that the code only runs in a number of East Asian countries.

In addition, experts have found signs that this campaign is also aimed at Android. In such cases, the redirect script takes visitors to gambling sites that call for installing a special application (APK com.tyc9n1999co.coandroid).

What kind of group is behind these attacks, and what goals it pursues, is still unclear until the end. A notable aspect of these attacks is the absence of phishing, web skimming, or malware. One theory says that the purpose of hackers is ad fraud and SEO manipulation. It’s also possible that it’s about driving non-organic traffic to specific sites.

We are still not sure how the attackers gained access to so many sites, and we have yet to identify commonalities between the affected sites beyond the use of FTP. Although it is unlikely that the attackers use some kind of 0-day vulnerability (given the obviously low sophistication of the attacks), this option cannot be completely excluded either.the experts conclude.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Pectorsed pop-up ads (Virus Removal Guide)

Pectorsed.com is a site that tries to trick you into clik to its browser notifications…

8 hours ago

Remove News-wogag pop-up ads (Virus Removal Guide)

News-wogago.com is a site that tries to force you into subscribing to its browser notifications…

19 hours ago

Remove Grimpoaltoumpa pop-up ads (Virus Removal Guide)

Grimpoaltoumpa.com is a site that tries to force you into subscribing to its browser notifications…

19 hours ago

Remove News-cekufa pop-up ads (Virus Removal Guide)

News-cekufa.com is a site that tries to force you into clik to its browser notifications…

19 hours ago

Remove News-nevaw pop-up ads (Virus Removal Guide)

News-nevawo.com is a domain that tries to trick you into clik to its browser notifications…

19 hours ago

Remove News-vuyexu pop-up ads (Virus Removal Guide)

News-vuyexu.com is a domain that tries to force you into subscribing to its browser notifications…

19 hours ago