Cybercriminals attacked several WordPress websites by sending fake CloudFlare DDoS pop-ups infected with remote access trojan malware. WordPress users were shown pop-ups that suggested downloading an update to protect their system. Upon downloading and installing the update, the infected files activated the trojan malware on the user’s device and multiple servers. The DDoS (distributed denial of service) messages on WordPress resulted from several JavaScript injections targeting the website.
Malware-infected pages
According to a report by website security and protection platform Sucuri, files injected with trojan malware popped up on the screen while using WordPress. The users were asked to open the file to get a verification code to access WordPress. A “personal verification code” was displayed on the screen that the user was asked to enter on the site. It was this file that contained the remote access trojan.
The fake CloudFlare DDoS prompts were downloaded in the form of .sio file. It installed the NetSupport RAT that enabled remote access to the system without the user’s knowledge. As per the report, the Raccoon stealer malware was injected to copy passwords, cookies, and autofill data from browsers. Interestingly, the file injected with the remote access trojan was flagged as “malicious” by several security vendors.
How DDoS Attacks impact users
The DDoS pop-ups displayed while trying to access WordPress can impact users in various ways, such as hacking their passwords, taking screenshots of online activities, changing system settings, selling bank details on the dark web, and slowing down entire networks, among others.
Preventives against DDoS pop-ups
Keeping all software up to date is one way for users or companies to safeguard their networks from fake DDoS pop-ups or similar DDoS attacks. Not clicking on fake DDoS pop-ups is very important; closing them as they appear is advised. A script blocker may also help block malicious files from running on user devices.
Comments 2