Fake DDoS-Protection Pages on WordPress Sites Serve Up Malware

A group of hackers has been using fake DDoS-protection pages to trick unsuspecting users into installing malware, according to GoDaddy-owned cybersecurity firm Sucuri. 

Hackers are hijacking sites built with WordPress to display the fake DDoS-protection pages. Those who visit these sites see a pop-up that masquerades as a Cloudflare DDoS-protection service. But once they click the prompt, the pop-up will download a malicious ISO file to their PC. 

The attack exploits how DDoS-protection pages will sometimes appear on websites you try to visit, in a bid to stop bots and other malicious web traffic from bombarding the website and taking the service down. Visitors are required to solve a CAPTCHA test to prove they’re human. 

Bogus DDoS Protection PageBogus DDoS Protection Page


(Credit: Sucuri)

In this case, the hackers serve up the fake DDoS-protection pages by adding a line of JavaScript code into the hijacked WordPress sites. “Since these types of browser checks are so common on the web many users wouldn’t think twice before clicking this prompt to access the website they’re trying to visit,” Sucuri security researcher Ben Martin wrote(Opens in a new window) in a blog post. 

Specifically, the fake DDoS-protection pages will download a file called “security_install.iso” to the victim’s computer. The WordPress site will then serve up an additional pop-up window that asks the user to install the ISO file to obtain a verification code. 

Sucuri image


(Credit: Sucuri)

“What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors(Opens in a new window) at the time of writing this article,” Martin said. This means the trojan can pave a way for a hacker to remotely take over a victim’s computer.

Recommended by Our Editors

According to antivirus provider Malwarebytes, the ISO file is actually malware called Netsupport RAT (remote access trojan), which has been used in ransomware attacks. The same malicious program can also install RacoonStealer(Opens in a new window), which is capable of lifting passwords and other user credentials from an infected PC. 

The incident is a reminder to be on guard when your PC’s browser downloads a mysterious file, even from a seemingly legitimate web security service. “Malicious actors will take whatever avenues are available to them to compromise computers and push their malware onto unsuspecting victims,” Martin added.

SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”31.423799582463″>

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0