How To Find & Remove Malware on Weebly Sites

How to find and remove malware on Weebly sites

Weebly is an easy-to-use website builder that allows admins to quickly create and publish responsive blogs and sites. Website builder environments are usually considered to be very safe and not prone to malware infections, but during a recent investigation I found some malicious behavior which revealed that even closed proprietary systems for WYSIWYG website builders like Weebly can be abused.

Let’s dive in!

Fake Adobe updates on Weebly website builder

Threat actors are always on the hunt for new attack vectors.  So when I was tasked with investigating a new client who purchased our services after finding some malicious behavior on their Weebly site, my interest was piqued.

The site admin was complaining about unwanted pop-ups and ads that had recently appeared on their homepage. Navigating to their domain immediately revealed the following pop-up:

Fake Adobe software update dialog on Weebly site redirects to ads
Fake Adobe software update dialog redirects to ads

This fake Adobe Flash Player prompt is displayed whenever a user visits the infected Weebly site. Closing the dialog or clicking anywhere on the web page immediately opens a new browser tab with ads.

I poked around in Weebly’s custom theme editor and quickly found the culprit:

Weebly’s code editor, displaying the contents of the header.html file at the top and live preview at the bottom.
Weebly’s code editor, displaying the contents of the header.html file at the top and live preview at the bottom.

Nestled in the header.html file was the following malicious JavaScript files responsible for launching the fake Adobe Flash pop-up on every page load.

  • hxxp://circuitingratitude[.]com/2b/2b/cf/2b2bcfdf41e8054fd6cffb25bfa1103c.js
  • hxxp://circuitingratitude[.]com/0cc5f9c34508562fd68249288d4fc036/invoke.js

Unwanted ads on homepage

A number of new unwanted banner ads had also been placed at the top of the homepage.

Unwanted banner ads found at the top of the Weebly site. 
Unwanted banner ads found at the top of the Weebly site.

I checked for locations where the client (or bad actor) may have added custom code to the website. The header and footer code sections were completely empty.

No custom code in Weebly Settings > SEO > Footer/header 
No custom code in Weebly Settings > SEO > Footer/header

The SEO Settings for the homepage did not contain any obvious custom code, either.

No custom code found in Weebly Pages > [Page name] > SEO Settings
No custom code found in Pages > [Page name] > SEO Settings
It wasn’t until I started poking around in the homepage’s visual WYSIWYG editor that I found the next culprit. A transparent custom HTML code block had been added and edited on the homepage precisely where the ads were found on the live site.

I needed to click on the empty space to reveal the block and its editor options.

Weebly custom HTML module

Clicking on Edit Custom Code uncovered the following script, which had been placed in the invisible block to serve banners for the popular PopCash affiliate ad network.

PopCash affiliate ad network code responsible for unwanted homepage ads
PopCash affiliate ad network.

Nuking this block from the website successfully removed the unwanted ads.

Is Weebly secure?

When you use a closed proprietary system for WYSIWYG website builders like Weebly, you’re relying on their security team to maintain the infrastructure to keep your site safe from hackers. Generally speaking, closed systems are considered less prone to malware infections than do-it-yourself environments. However, if you don’t have your own personal security measures in place, your website and credentials can still be targeted.

In a worst case scenario where an attacker compromises your credentials and gains access to your Weebly site, they’ll be able to plant whatever unwanted scripts and code they want. So be sure to take extra measures to protect your website and passwords.

Weebly security best practices

Here are a number of useful steps you can take to protect your Weebly website from malware and unwanted ads:

  • Use two-factor authentication: Weebly offers 2FA to help users protect their accounts. Ensure you set this up to make it harder for bad actors to brute force or password guess your credentials.
  • Create and maintain strong passwords: If you don’t have your passwords on lockdown, it’s a lot easier for attackers to gain a foothold in your website’s environment. Ensure that you create secure passwords for all of your accounts to help prevent compromise — this is especially important if you use social media accounts to authenticate to your Weebly website.
  • Only buy custom themes from reliable vendors: Hackers are known to exploit third-party extensions and add-ons. Only use reputable apps from the Weebly App Center and research extensions before adding them to your site.
  • Use embed codes from reliable sources: Exercise caution when using embed codes on your website. Only use these elements if you know what you’re doing and trust the source.
  • Don’t upload executables to your website: Protect your website and visitors by restricting the types of files that can be uploaded to your site.
  • Avoid sketchy browser extensions: Bad actors are known to leverage browser extensions to inject unwanted ads and other malicious scripts into WYSIWYG editors. So be cautious when installing browser add-ons.
  • Scan your website regularly for malware: Regularly check your Google Safe Browsing account and scan your website with remote scanning tools like SiteCheck to monitor for malware or malicious behavior.

If you believe your website has been hacked and is displaying unwanted ads or unexpectedly redirecting, we can help. Our experienced security analysts are skilled at website malware removal.

Chat now to get help cleaning up malicious code from your site.

You May Also Like