Researchers have spotted fake social buttons plugins that attackers are using to compromise websites and redirect visitors to the Angler exploit kit.
Jérôme Segura, a senior security researcher for Malwarebytes, has seen everything from malvertising campaigns to mischievous tech support scams.
But new threats are always emerging.
Case in point, in a post on his company’s blog, the researcher writes that the latest Angler infection campaign isn’t your typical redirect from hacked websites running outdated versions of WordPress and Joomla. There isn’t even a direct injection of a landing URL for the exploit kit inside the compromised site’s source code.
“Rather, this one uses a domain name used to lure website owners into thinking this is part of social plugins or such widget: socialbutton[.]site. Those buttons typically allow users to ‘Like’ or retweet an article easily from the website they are visiting.”
It’s when someone pays a visit to the compromised website that the malicious code activates and takes the visitor from one intermediary stop to the next until arriving at their final destination: a landing page for the Angler exploit kit.
In this particular campaign, Angler loads up Bedep, a malware that has the ability to download other types of malware. Who knows? It might decide to begin dropping CryptXXX and other forms of ransomware.
This might be a unique twist on the Angler redirect, but one thing remains the same: attackers compromising outdated websites to prey upon unsuspecting users.
With that in mind, site owners should take extra precautions to make sure their content management systems (CMSs) and websites are up-to-date with the latest patches.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.