Hacked sites range from small firms to multinational corporations, and they all use different technology stacks and hosting, making it difficult to identify a common attack vector. One of the few “common denominators” is that most of the compromised resources are hosted in China or another country, but are intended for Chinese users.

what is known

Attackers inject malicious JavaScript into compromised sites, often by connecting to the target server using their original FTP credentials. Moreover, experts have not been able to find out exactly how the criminals obtained them.

In most cases, these were automatically generated trusted FTP credentials, but the attackers were somehow able to obtain them and use them to take over the site.
– say researchers.

The report also states that URLs hosting malicious JavaScript are geo-restricted, so the code is only executed in some countries in East Asia.

In addition, experts found signs that this campaign targets Android devices as well. In similar cases redirect script takes visitors to gaming sites that ask them to install a custom app.

It is still unclear exactly which group is behind these attacks and what their aims are. A notable aspect of these attacks is that they are not phishing, web crawling or malware. One theory suggests that the hackers’ goal is ad fraud and SEO manipulation. It’s also possible that it’s a matter of attracting inorganic traffic to certain sites.

“We’re still not sure how attackers accessed so many sites, and we have yet to discover partnerships between affected resources beyond the use of FTP. While it’s unlikely that attackers are exploiting some kind of 0-day vulnerability (experts have given it due to the obviously low complexity of the attacks), no such option is available. cannot be completely ignored.”