Fake social button code on websites attacks visitors via the Angler exploit kit

You won’t like this.

David bisson
David Bisson

Fake social button code on websites attacks visitors via the Angler exploit kit

Researchers have spotted fake social buttons plugins that attackers are using to compromise websites and redirect visitors to the Angler exploit kit.

Jérôme Segura, a senior security researcher for Malwarebytes, has seen everything from malvertising campaigns to mischievous tech support scams.

But new threats are always emerging.

Sign up to our free newsletter.
Security news, advice, and tips.

Case in point, in a post on his company’s blog, the researcher writes that the latest Angler infection campaign isn’t your typical redirect from hacked websites running outdated versions of WordPress and Joomla. There isn’t even a direct injection of a landing URL for the exploit kit inside the compromised site’s source code.

“Rather, this one uses a domain name used to lure website owners into thinking this is part of social plugins or such widget: socialbutton[.]site. Those buttons typically allow users to ‘Like’ or retweet an article easily from the website they are visiting.”


The infection process proceeds as follows. A malicious actor compromises a website. Instead of injecting an Angler URL into the site’s source code, they inject a malicious JavaScript call along the lines of http://social-button[.]site/analytics.js.

At first glance, a site owner might think they are looking at a social sharing plugin’s JavaScript file. Users who access the file directly will not even trigger the malicious content, and be served up a clean version of the code instead.

It’s when someone pays a visit to the compromised website that the malicious code activates and takes the visitor from one intermediary stop to the next until arriving at their final destination: a landing page for the Angler exploit kit.

Clean vs malicious

In this particular campaign, Angler loads up Bedep, a malware that has the ability to download other types of malware. Who knows? It might decide to begin dropping CryptXXX and other forms of ransomware.

This might be a unique twist on the Angler redirect, but one thing remains the same: attackers compromising outdated websites to prey upon unsuspecting users.

With that in mind, site owners should take extra precautions to make sure their content management systems (CMSs) and websites are up-to-date with the latest patches.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.