Major website hijacking scam sees over 35,000 sites attacked, redirected to gambling sites, so be on your guard

A close-up of an interent search bar with 'http://ww' visible

(Image credit: Getty Images)

Researchers found more than 35,000 compromised websites
Sites were carrying malicious code that took over the browser window
Visitors were being served casino landing pages

More than 35,000 websites have been compromised in a major hacking campaign that saw users redirected to malicious pages, or possibly even served malware, experts have warned.

A report from cybersecurity researchers at c/side, did not detail who the attackers are, other than saying they could be linked to the Megalayer exploit.

They also did not discuss how the threat actors managed to compromise these tens of thousands of websites, but once the attackers gained access, they used it to inject a malicious script from a list of websites.

Hiding from researchers

“Once the script loads, it fully hijacks the user’s browser window - often redirecting them to pages promoting a Chinese-language gambling (or casino) platform,” the researchers explained.

The attackers are most likely Chinese, since they’re coming from regions where Mandarin is common, and since the final landing pages present gambling content under the Kaiyun brand.

The tens of thousands of compromised websites were serving a few variants of gambling landing pages, it was explained. Some IPs and regions were being served a static page, saying access is blocked. This, the researchers believe, is to prevent security researchers from discovering the attack.

C/side believes the campaign is related to the Megalayer exploit, since it’s known for distributing Chinese-language malware, contains the same domain patterns, and the same obfuscation tactics.

To protect websites against these exploits, c/side advises IT teams to audit their source code, and block malicious domains, or use firewall rules for zuizhongjs[.]com,

p11vt3[.]vip, and associated subdomains. They should also monitor logs for unexpected outgoing requests to these domains, check for unauthorized modifications, restrict scripts to only trusted domains with a well-defined CSP, and frequently scan the sites with tools like PublicWWW or URLScan.

Polyfill attack redirected victims to gambling sites to carry out supply chain attack
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.