Major website hijacking scam sees over 35,000 sites attacked, redirected to gambling sites, so be on your guard

News
By
published

A Chinese attacker was redirecting visitors to gambling sites

A close-up of an interent search bar with 'http://ww' visible
(Image credit: Getty Images)
  • Researchers found more than 35,000 compromised websites
  • Sites were carrying malicious code that took over the browser window
  • Visitors were being served casino landing pages

More than 35,000 websites have been compromised in a major hacking campaign that saw users redirected to malicious pages, or possibly even served malware, experts have warned.

A report from cybersecurity researchers at c/side, did not detail who the attackers are, other than saying they could be linked to the Megalayer exploit.

They also did not discuss how the threat actors managed to compromise these tens of thousands of websites, but once the attackers gained access, they used it to inject a malicious script from a list of websites.

Hiding from researchers

“Once the script loads, it fully hijacks the user’s browser window - often redirecting them to pages promoting a Chinese-language gambling (or casino) platform,” the researchers explained.

The attackers are most likely Chinese, since they’re coming from regions where Mandarin is common, and since the final landing pages present gambling content under the Kaiyun brand.

The tens of thousands of compromised websites were serving a few variants of gambling landing pages, it was explained. Some IPs and regions were being served a static page, saying access is blocked. This, the researchers believe, is to prevent security researchers from discovering the attack.

C/side believes the campaign is related to the Megalayer exploit, since it’s known for distributing Chinese-language malware, contains the same domain patterns, and the same obfuscation tactics.

To protect websites against these exploits, c/side advises IT teams to audit their source code, and block malicious domains, or use firewall rules for zuizhongjs[.]com,

p11vt3[.]vip, and associated subdomains. They should also monitor logs for unexpected outgoing requests to these domains, check for unauthorized modifications, restrict scripts to only trusted domains with a well-defined CSP, and frequently scan the sites with tools like PublicWWW or URLScan.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
North Korean flag with a hooded hacker

North Korean hackers are posing as software development recruiters to target freelancers
healthcare

Over a million clinical records exposed in data breach
Rolls-Royce Spectre Black Badge

The most powerful Rolls-Royce in history is electric and it’s here to boost performance – and the marque's luxury appeal
See more latest