Fake Social Button Plug-in Redirects To Exploit Kit, Warns Malwarebytes

Security specialist Malwarebytes has warned of fake social button plug-ins on compromised websites, that is redirecting users to the damaging Angler exploit kit.

The vendor said it has come across several instances of the fake social button plug-in on hacked websites that utilise the Joomla and WordPress content management systems (CMS).

New Redirection Vector

“Compromised websites remain one of the surefire ways to redirect innocent visitors to exploit kits,” blogged Malwarebytes. “During the past few days we’ve started seeing an unusual route to the  infamous Angler EK, notorious for leveraging hacked WordPress and Joomla CMSs.”

The hacker typically inserts a malicious JavaScript into the website’s source code.

Malwarebytes said this attack uses a domain name to lure website owners into thinking this is part of social plugins or such widget: socialbutton[.]site. “Those buttons typically allow users to ‘Like” or retweet an article easily from the website they are visiting,” it said, meaning that webmasters could be fooled when checking over the source code.

“We spotted two different JavaScript files (analytics.js and widget.js) and for each there is a clean version and a malicious one,” it said. “You are served the clean version if you browse directly to the JS without the proper referer (compromised upper site).”

Malwarebytes said that the malicious version of the code will redirect users (via a series of intermediary points) until they eventually land on a webpage hosting the Angler exploit kit.

It said the unlucky user lands there, Angler will execute malicious routines and deliver the Bedep click-fraud malware. Users of out-of-date web browsers or plug-ins are particularly at risk.

Malwarebytes warned website owners to look out for the malicious code.

“If you are a website owner, it is critical that you maintain your platform up-to-date to avoid being used as a springboard for malware,” it said. “All cases we saw with this campaign were sites that were outdated and breached via automated attacks.”

Malvert Threats

In March Malwarebytes discovered a major malvertising attack that hit a number of the world’s top publishing sites, including big names such as the BBC, AOL and MSN.

That attack had installed potentially harmful adverts that could install ransomware or other malware on unsuspecting users’ devices if clicked on.

Many of those attacks used the Angler exploit kit, which targets vulnerabilities in Microsoft Silverlight and Adobe Flash to hijack adverts to download and install harmful software including ransomware when activated.

And we in the UK should be worried.

Previous research from Malwarebytes found that the UK is the world’s third-largest market for malvertising infections, behind only the US and Canada.

What do you know about Internet security? Find out with our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago