Security News > 2022 > August > Hackers Using Fake DDoS Protection Pages to Distribute Malware

WordPress sites are being hacked to display fraudulent Cloudflare DDoS protection pages that lead to the delivery of malware such as NetSupport RAT and Raccoon Stealer.

"A recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware," Sucuri's Ben Martin said in a write-up published last week.

Distributed denial-of-service protection pages are essential browser verification checks designed to deter bot-driven unwanted and malicious traffic from eating up bandwidth and taking down websites.

The new attack vector involves hijacking WordPress sites to display fake DDoS protection pop-ups that, when clicked, ultimately lead to the download of a malicious ISO file to the victim's systems.

While the installer does display a verification code to maintain the ruse, in reality, the file is a remote access trojan called NetSupport RAT, which is linked to the FakeUpdates malware family and also covertly installs Raccoon Stealer, a credential-stealing trojan available for rent on underground forums.

An IRS-themed phishing campaign detailed by Cofense and Walmart Global Tech involved utilizing fake CAPTCHA puzzles on websites to deliver the same malware.

News URL

https://thehackernews.com/2022/08/hackers-using-fake-ddos-protection.html