A new widespread redirection campaign targets thousands of users from East Asia through legitimate FTP credentials.
Numerous incidents showed that the attackers acquired highly secure auto-generated FTP credentials and utilised them to infect the victim websites to guide their visitors to another explicit-packed webpage.
Researchers claimed that the campaign compromised at least 10,000 websites owned by big-time organisations. The differences in hosting providers and tech stacks have prevented security researchers from pinpointing the attackers’ entry points.
The hackers who exploited the FTP credentials also used JavaScript.
According to investigations, the adversaries who used the compromised FTP credentials added a single line of HTML code with a script tag referencing a remotely hosted JS script. The attackers downloaded and operated the attached tags on the website used by a targeted device.
In several instances, the attackers inject the JS code directly into existing archives on the infected server. Many believed the injection came from FTP access, not malvertising campaigns.
Researchers spotted numerous servers associated with this cybercriminal activity, involving server JavaScript variations revealing multiple similarities, making these campaigns part of a massive scheme.
Furthermore, the JavaScript redirection code reviews specific conditions before redirecting the users to another website, including a cookie set on the targeted device, probability value, and if they are not using an Android device.
Earlier last year, the attackers also used the JavaScript code to fingerprint users’ browsers and exfiltrated the harvested data to an attacker-controlled environment. However, this campaign suddenly disappeared at the end of last year.
Some changes have also been identified in the redirection mechanics used by the hackers, such as adding intermediate servers to the redirection chain. In other cases, the website admin deleted the malicious redirection, only to notice that it reemerged after a few minutes.
The researchers claimed that the campaign’s primary objective could be SEO manipulation or ad fraud. Unfortunately, there is no concrete proof regarding these claims since threat actors could exploit the accessed information to execute another cybercriminal activity.
