Hackers are hijacking sites built with WordPress to display the fake DDoS-protection pages. Those who visit these sites see a pop-up that masquerades as a Cloudflare DDoS-protection service. But once they click the prompt, the pop-up will download a malicious ISO file to their PC.
The attack exploits how DDoS-protection pages will sometimes appear on websites you try to visit, in a bid to stop bots and other malicious web traffic from bombarding the website and taking the service down. Visitors are required to solve a CAPTCHA test to prove they’re human.
Specifically, the fake DDoS-protection pages will download a file called “security_install.iso” to the victim’s computer. The WordPress site will then serve up an additional pop-up window that asks the user to install the ISO file to obtain a verification code.
“What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors(Opens in a new window) at the time of writing this article,” Martin said. This means the trojan can pave a way for a hacker to remotely take over a victim’s computer.
Recommended by Our Editors
According to antivirus provider Malwarebytes, the ISO file is actually malware called Netsupport RAT (remote access trojan), which has been used in ransomware attacks. The same malicious program can also install RacoonStealer(Opens in a new window), which is capable of lifting passwords and other user credentials from an infected PC.
The incident is a reminder to be on guard when your PC’s browser downloads a mysterious file, even from a seemingly legitimate web security service. “Malicious actors will take whatever avenues are available to them to compromise computers and push their malware onto unsuspecting victims,” Martin added.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.