Since September 2022, our team has been tracking a bogus URL shortener redirect campaign that started with just a single domain: ois[.]is. By the beginning of 2023, this malware campaign had expanded to over a hundred domain names to redirect traffic to low quality Q&A sites and monetize traffic via Google AdSense. In fact, since the beginning of this year alone, Sucuri’s remote website scanner has detected various strains of this malware on over 24,000 websites.
During a recent analysis, one of our security analysts Puja Srivastava provided details on some new variants for this malware campaign. So, let’s take a look at some examples of this malware, highlight some recent changes seen in these latest variants, and identify how the attacker’s code has evolved to target mobile users.
Contents:
Spring 2023 variant: Script tags pointing to 90+ short domains
Since Ben Martin’s last post in February 2023, the malware injections have seen a few noticeable changes. In the spring of 2023, attackers had started using script tags pointing to external scripts hosted on their short domains instead of directly injecting obfuscated JavaScript code.
According to the data in our latest SiteCheck Report, our external malware scanner has detected these scripts from 93 various bogus URL shortener domains on a total of 6,105 websites since the beginning of 2023.
May 2023 variant: style.wp.includes.js and style.public.html.js
In late May ..
Support the originator by clicking the read the rest link below.
