All Internet users have, at least once in their lives, seen the following “Account Suspended” page:
That’s because it’s part and parcel of cPanel, one of the most used web hosting control panels in the world.
“Visitors to a site are redirected to this screen for one of many reasons ranging from the site owner’s failure to pay for his hosting, violating the Terms and Conditions, or perhaps exceeding their allocated bandwidth,” Malwarebytes’ researcher Jerome Segura explains.
None of these reasons should worry users, but a recently discovered malware delivery campaign that has been using this familiar sight to hide the fact that an exploit kit is exploiting vulnerabilities in the visitors’ computers and delivering malware to them on the sly is enough reason to be wary.
This particular campaign has targeted at least one legitimate site, and the attackers have injected malicious code within the aforementioned page. The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a still poorly detected variant of the Zusy (Tinba) banking Trojan.
The main goal for malware peddlers is to deliver malware to users, but another equally important objective is to do so in a way that does not arouse any suspicion and does not spur users to check their machines for malware. This particular approach seems like it could be very successful in both respects.
“This case is a reminder not to trust a book by its cover and always exercise caution. Attackers were clever to hide the malicious redirect code where they did because they might trick someone into brushing off the site as ‘already terminated by the hosting provider’, when in fact it’s not,” Segura notes.
“Many sites that were once used to distribute malware and have been suspended will sport that kind of page. One would assume that the site would now be harmless, since the hosting provider has already taken action. If you aren’t looking at the URL carefully (the suspended page should be displayed at the root of the domain) and assumed so, you might just run into a case where the site is actually fully compromised and still active.”