A widespread cyberattack has compromised approximately 150,000 legitimate websites by injecting malicious JavaScript code to promote Chinese-language gambling platforms. This campaign, which has been ongoing, involves attackers embedding harmful JavaScript into websites, leading to unauthorized redirections and overlays that display gambling content to unsuspecting visitors.
Security analyst Himanshu Anand from c/side has been monitoring this campaign and notes that the threat actors have made slight modifications to their methods. They continue to use iframe injections to create full-screen overlays in visitors’ browsers, effectively hijacking the user experience. As of the latest data, over 135,800 websites contain the malicious JavaScript payload, according to statistics from PublicWWW.
Technical Details of the Attack
The attack operates by injecting JavaScript hosted on multiple domains, such as “zuizhongyj[.]com,” which then serve the main payload responsible for redirecting users to gambling sites. In some instances, the injected scripts and iframe elements impersonate legitimate betting websites like Bet365, utilizing official logos and branding to deceive users. This method involves displaying a fullscreen overlay using CSS, replacing the actual web content with the malicious gambling landing page when a user visits an infected site.
Anand emphasizes the adaptability of these threat actors, stating, “This attack demonstrates how threat actors constantly adapt, increasing their reach and using new layers of obfuscation.” He also highlights the rising trend of client-side attacks, noting an increase in such findings daily.
Broader Implications and Related Campaigns
This incident is part of a larger pattern of cyberattacks targeting websites through JavaScript injections. For instance, researchers from Unit 42 have been tracking a similar campaign involving malicious JavaScript injections that redirect victims to adware and scam pages. This campaign has infected over 51,000 websites, including several hundred within Tranco’s top one million ranked sites, indicating a significant reach among internet users.
The complexity of these attacks lies in their multi-stage injection processes, which include evasion techniques such as obfuscation and benign append attacks. These methods help the malicious code remain undetected by security measures. The injected JavaScript dynamically adds external malicious code through DOM manipulation, allowing attackers to change the payload and maintain flexibility in their operations.
Impact on Users and Website Owners
The impact of these campaigns is substantial. In January 2023 alone, approximately 240,000 website sessions were prevented across 14,773 devices due to blocking measures against these infected websites. Users visiting compromised sites may be redirected to fraudulent pages, exposing them to potential scams or unwanted content. Website owners face reputational damage, loss of traffic, and potential penalties from search engines for hosting malicious content.
Preventive Measures and Recommendations
To mitigate the risks associated with such JavaScript injection attacks, website owners and administrators should implement the following measures:
1. Regular Security Audits: Conduct thorough and frequent security assessments of website code and infrastructure to identify and address vulnerabilities.
2. Update and Patch Systems: Ensure that all content management systems (CMS), plugins, and third-party tools are up-to-date with the latest security patches.
3. Implement Content Security Policy (CSP): Utilize CSP headers to restrict the sources from which scripts can be loaded, reducing the risk of unauthorized code execution.
4. Monitor for Unauthorized Changes: Set up monitoring systems to detect and alert administrators of any unauthorized modifications to website files or code.
5. Educate Staff and Users: Provide training on recognizing phishing attempts and the importance of cybersecurity best practices to prevent initial compromise vectors.
By adopting these strategies, website owners can enhance their defenses against JavaScript injection attacks and protect their users from malicious redirections and content.
