Fake DDoS protection pages are delivering malware!

Malware peddlers are exploiting users’ familiarity with and inherent trust in DDoS protection pages to make them download and run malware on their computer, Sucuri researchers have warned.

Hidden malware and fake DDoS protection

DDoS protection pages have become so common that users rarely think twice about doing what those pages tell them to do to get website access. This state of affairs is being eploited by clever malware peddlers.

Visitors to WordPress sites that have been hacked and injected with specially crafted JavaScript are faced with the fake “Cloudflare DDoS protection” page, which tells them to download the security_install.iso – ostensibly a security application.

Once they do that, they are instructed to run it and enter the “personal verification code” they receive from it into the fake page.

The .iso file does contain a verifiation code, but unfortunately it can also lead to the covert installation of a remote access trojan (NetSupport RAT) and an infostealer (RaccoonStealer).

“The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious “slave” network, extort the computer owner, and violate their privacy — all depending on what the attackers decide to do with the compromised device,” Sucuri security analyst Ben Martin explained.

How to protect yourself

The malicious.iso file is already being detected by a growing number of AV solutions, but attackers can easily exchange it for a new one that will pass undetected (at least for a short while).

Users are advised to regularly update their operating system and software, to refrain from downloading and opening “strange” files, and to look into using a script blocking browser extension.