More Fake jQuery sites (opens in new tab)

(labs.sucuri.net)

31 pointsdavedd13y ago12 comments

12 comments

I wonder how the links to these fake sites are injected into the infected sites in the first place. Is it through some other vulnerability and the fake sites are mainly needed to make the hack less obvious for a human auditing the code?

Or do they hope that somebody finds the fake jQuery site on Google or through a typo in the URL and then includes their fake JavaScript file instead? That seems unlikely to me.

pav3l13y ago

>We keep seeing fake jQuery sites popping up and being used to distribute malware.

Anyone has more info? What kind of malware? I'm assuming client side? Any 0-days? Unsurprisingly, both websites are blocked at where I am.

leoedin13y ago

I think the particularly interesting thing about this isn't the malware in question, but the vector they're using to distribute it. Almost every HTML page written in the last 5 years has jquery included somewhere, and so they're clearly trying to provide a redirection (or script-injection) vector which would pass a glance over the site code. If you run a website and have a breach it's worth being aware of during the code inspection you'd have to make.

VMG13y ago

Previously, jquery.it: http://news.ycombinator.com/item?id=2734138

leeoniya13y ago

a funny one: http://jqueery.com - click around :D

hfsktr13y ago

I thank you very very much for that. Whenever I feel down I know where to get a laugh. The song just makes it better.

Zirro13y ago

"window.top.location.href = "httx://www.jqueryc.com"

Is the "httx" a mistake by the malware-authors or Sucuri Malware Labs? I find the second option more likely.

jimwhitson13y ago

I suspect they've done it deliberately, to avoid having a malware link on their site. With the link as given, a reader would have to consciously change the 'x' for a 'p' to visit it, making it unlikely that anyone would do it accidentally.

Zirro13y ago

That makes sense, and would also explain why they chose to put it in a <textarea>, I suppose. Still, it feels as if the apparent intended audience would be aware of the risks without them having to go through the trouble.

1 more reply

Eduard13y ago

As used in this article, what does TDS mean?

hfsktr13y ago

The best acronym I was able to find (fits with the multiple redirects) is: Traffic Distribution System.

j / k navigate · click thread line to collapse

12 comments

Hopka13y ago

Or do they hope that somebody finds the fake jQuery site on Google or through a typo in the URL and then includes their fake JavaScript file instead? That seems unlikely to me.

pav3l13y ago

>We keep seeing fake jQuery sites popping up and being used to distribute malware.

Anyone has more info? What kind of malware? I'm assuming client side? Any 0-days? Unsurprisingly, both websites are blocked at where I am.

leoedin13y ago

VMG13y ago

Previously, jquery.it: http://news.ycombinator.com/item?id=2734138

leeoniya13y ago

a funny one: http://jqueery.com - click around :D

hfsktr13y ago

I thank you very very much for that. Whenever I feel down I know where to get a laugh. The song just makes it better.

Zirro13y ago

"window.top.location.href = "httx://www.jqueryc.com"

Is the "httx" a mistake by the malware-authors or Sucuri Malware Labs? I find the second option more likely.

jimwhitson13y ago

Zirro13y ago

1 more reply

Eduard13y ago

As used in this article, what does TDS mean?

hfsktr13y ago

The best acronym I was able to find (fits with the multiple redirects) is: Traffic Distribution System.

j / k navigate · click thread line to collapse