Security News > 2024 > January > Malicious web redirect scripts stealth up to hide on hacked sites
Security researchers looking at more than 10,000 scripts used by the Parrot traffic direction system noticed an evolution marked by optimizations that make malicious code stealthier against security mechanisms.
The operators behind Parrot sell the traffic to threat actors, who use it on users visiting infected sites for profiling and redirecting relevant targets to malicious destinations such as phishing pages or locations that deliver malware.
Unit 42 analyzed 10,000 Parrot landing scripts from collected between August 2019 and October 2023.
Parrot's landing scripts help with user profiling and force the victim's browser to fetch a payload script from the attacker's server, which carries out the redirection.
According to the researchers, the scripts used in the Parrot TDS campaigns are identified by specific keywords in the code, including 'ndsj,' 'ndsw,' and 'ndsx.
Unit 42 noticed that most infections in the examined sample have moved to the most recent version of the landing script, accounting for 75% of the total, with 18% using the previous version, and the remaining running older scripts.