A group of hackers has been using fake DDoS protection pages to trick unsuspecting users into installing malware, according to GoDaddy-owned cybersecurity firm Sucuri.
Hackers are hijacking WordPress sites to display fake DDoS protection pages. Those who visit these sites see a pop-up that masquerades as a Cloudflare DDoS protection service. But once they click on the message, the popup will download malicious ISO file on their PC.
The attack exploits how DDoS protection pages sometimes appear on websites you try to visit, in an attempt to prevent bots and other malicious web traffic from bombarding the website and taking the service down. Visitors must solve a CAPTCHA test to prove they are human.
Specifically, fake DDoS protection pages will download a file named “security_install.iso” on the victim’s computer. The WordPress site will display an additional popup asking the user to install the ISO file to get a verification code.
“What most users don’t realize is that this file is, in fact, a remote access Trojan, currently flagged by 13 security vendors at the time of this writing,” said Martin. This means that the Trojan can pave the way for a hacker to remotely take over a victim’s computer.
According to antivirus vendor Malwarebytes, the ISO file is actually malware called Netsupport RAT (Remote Access Trojan), which has been used in ransomware attacks. The same malicious program can also install RacoonStealer, which is capable of recovering passwords and other user credentials from an infected PC.
The incident is a reminder to be vigilant when your PC’s browser downloads a mysterious file, even from a seemingly legitimate web security service. “Malicious actors will take any avenue available to compromise computers and deliver their malware to unsuspecting victims,” Martin added.