A network of websites has been leveraged to distribute malware to victims who search for “cracked” versions of popular business and customer apps, a study shows.
A report that was published last week by Cybersecurity company Sophos reveals that hackers have been exploiting a number of pages hosted on WordPress as a bait to distribute a whole assortment of malicious software, including a number of information stealers, ransomware, and click fraud bots.
The exploited pages contain “download” links to software installers that reroute the victims to pages that download different browser plugins, potentially unwanted programs and malware, such as Raccoon Stealer, Stop ransomware, the Glupteba backdoor, as well as a number of cryptocurrency miners that act as fake antivirus software.
Website visitors of these dangerous pages are typically asked to accept notifications, the researchers said, and, if they do, the sites send repeated bogus virus warnings to their screen. By clicking on the warnings, users are led to a succession of websites until they reach a destination which is decided by the type of operating system, the kind of browser and the location of the user.
Another interesting fact that the researchers have discovered is that a number of malware distribution services act as go-betweens, providing a platform for publishers to distribute their malware to existing malware networks, which, in turn, pay publishers for their traffic. One such organization offering compromised software sites is InstallUSD, a Pakistani ad network that’s been related to multiple malware attacks.
As per the report, after affiliates sign up to malware distribution platforms, they must pay Bitcoin in order to begin creating accounts and start distributing installers. Some underground marketplaces even have guidelines for best practices, including advice on what hosts to be used for downloaders, and recommendations on using specific URLs on cloud platforms.
Search engine optimization helps to ensure that when people look for illegal copies of software, the dangerous websites are at the top of the search results, allowing cyber criminals to develop campaigns that are custom-tailored to specific geographical targets.