Wiz, a cloud security startup, has issued a warning about a widespread redirection campaign in which thousands of East Asian-targeted websites have been affected using legitimate FTP credentials.
In many cases, the attackers gained access to highly secure auto-generated FTP credentials and utilized them to hijack the victim websites to redirect visitors to adult-themed content.
The campaign, which has most likely been ongoing since September 2022, has compromised at least 10,000 websites, many of which are owned by small businesses and large corporations. According to Wiz, differences in hosting providers and tech stacks make identifying a common entry point difficult to identify a common entry point.
As part of the initial incidents, the attackers added "a single line of HTML code in the form of a script tag referencing a remotely hosted JavaScript script" to the compromised web pages. The injected tags cause a JavaScript script to be downloaded and executed on the machines of website visitors.
According to Wiz, in some cases, JavaScript code was injected directly into existing files on the compromised server, most likely via FTP access, ruling out the possibility of malvertising.
The cybersecurity startup has identified a number of servers associated with this campaign, which serve JavaScript variants that share many similarities, implying they are closely linked, if not part of the same activity.
Before redirecting the visitor to the destination website, the JavaScript redirection code checks for specific conditions such as a probability value, a cookie set on the victim's machine, whether the visitor is a crawler, and whether or not they are using Android.
Originally, the JavaScript code was seen fingerprinting users' browsers and sending the gathered data to attacker-controlled infrastructure. The behavior, however, has not occurred since December 2022. Other changes in the redirection scripts that Wiz has noticed include the addition of intermediate servers to the redirection chain in February 2023.
In some cases, website administrators removed the malicious redirection only to find it reemerged shortly afterward. As per Wiz, the campaign's goal could be ad fraud or SEO manipulation, but the attackers could also be looking to increase traffic to the destination websites. However, the threat actors may decide to employ the gained access for other illicit reasons.
