Attack drags thousands of internet users into password-cracking botnet

Enlarge Getty Pictures
Attackers to have transformed hundreds of pirate sites running WordPress software In command and control waiters that force visitors' browsers has perform password cracking attacks.

A the Web research For THE JavaScript that carried out THE attack watch he was hosted on 708 sites has THE time This job went live on Ars, up Since 500 two days There is. Dennis Sinegoubko, THE searcher WHO spotted THE campaign, said has THE time that he had seen thousands of visitor computers running THE scenario, which cause them has reach out has thousands of areas In A attempt has guess THE Passwords of usernames with accounts on them.
Visitors involuntarily recruited
"This East how thousands of visitors through hundreds of infected websites without knowing And simultaneously to try has Brute force thousands of other third party WordPress sites," Sinegoubko wrote. "And Since THE requests come Since THE browsers of real visitors, You can imagine This East A challenge has filtered And block such requests. »

As THE pirate websites accommodation THE malicious JavaScript, all THE target areas are running THE WordPress content management system. THE script—just 3 kilobits In size – reached out has A controlled by the attacker getTaskURL, which In turn provides THE name of A specific user on A specific WordPress site, along with 100 common Passwords. When This data East fed In THE Navigator to visit THE pirate site, he attempts has save In THE target user account using THE candidate Passwords. THE JavaScript works In A loop, asking Tasks Since THE get task url report THE results has THE Full task URL, And SO perform THE not Again And once again.

A fragment of THE hosted JavaScript appears below, And below that, THE resulting task:
const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php'; const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php'; … [871,"https://REDACTED","redacted","60","junkyard","johncena","jew","jakejake","invincible","intern","indira","hawthorn" ,"hawaiian","hannah1","halifax","greyhound","greene","glenda","futbol","fresh","frenchie","flyaway","fleming","fishing1"," finally","ferris","fastball","elisha","dog","desktop","dental","delight","deathrow","ddddddd","cocker","chilly"," chat" , "casey1","carpenter","calimero","calgary","broker","breakout","bootsie","bonito","black123","bismarck","bigtime","belmont" ," barnes","ball","baggins","arrow","alone","alkaline","adrenaline","abbott","987987","3333333","123qwerty","000111"," zxcv1234", "walton", "vaughn", "try again", trent, "thatcher", "templar", "stratus", "status", "sampede", "small", "sin", "silver1", signal","shakespeare","selene","scheisse","sayonara","santacruz","sanity","rover","roswell","reverse","redbird","poppop","pompon" ,"pollux","pokerface","passions","papers","option","olympus","oliver1","notorious","nothing1","norris","nicole1","necromancer"," unnamed","mysterio","my life","muslim","monkey12","mitsubishi"]
With 418 password batches as of Tuesday, Sinegoubko has concluded THE attackers are trying 41,800 Passwords against each target site.

Sinegoubko wrote:
Attack steps And life cycle
THE attack consists of five key steps that allow A bad actor has leverage Already compromise websites has launch distributed bully force attacks against thousands of other potential victim sites.
Scene 1: Get URL of WordPress sites. THE attackers either crawl THE the Internet themselves Or to use miscellaneous research engines And data base has get lists of target WordPress sites. Scene 2: Extract author usernames. Attackers SO analysis THE target sites, extraction real usernames of authors that job on those areas. Scene 3: Inject malicious scripts. Attackers SO inject their dynamic-linx[.]com/chx.js scenario has websites that they to have Already compromise. Scene 4: Bully force credentials. As normal site visitors open infected the Web pages, THE malicious scenario East charge. Behind THE scenes, THE visitors' browsers to drive A distributed bully force tackle...

Technology Mar 8, 2024 0 10 Add to Reading List

Attack drags thousands of internet users into password-cracking botnet

Attackers to have transformed hundreds of pirate sites running WordPress software In command and control waiters that force visitors' browsers has perform password cracking attacks.

A the Web research For THE JavaScript that carried out THE attack watch he was hosted on 708 sites has THE time This job went live on Ars, up Since 500 two days There is. Dennis Sinegoubko, THE searcher WHO spotted THE campaign, said has THE time that he had seen thousands of visitor computers running THE scenario, which cause them has reach out has thousands of areas In A attempt has guess THE Passwords of usernames with accounts on them.

Visitors involuntarily recruited

"This East how thousands of visitors through hundreds of infected websites without knowing And simultaneously to try has Brute force thousands of other third party WordPress sites," Sinegoubko wrote. "And Since THE requests come Since THE browsers of real visitors, You can imagine This East A challenge has filtered And block such requests. »

As THE pirate websites accommodation THE malicious JavaScript, all THE target areas are running THE WordPress content management system. THE script—just 3 kilobits In size – reached out has A controlled by the attacker getTaskURL, which In turn provides THE name of A specific user on A specific WordPress site, along with 100 common Passwords. When This data East fed In THE Navigator to visit THE pirate site, he attempts has save In THE target user account using THE candidate Passwords. THE JavaScript works In A loop, asking Tasks Since THE get task url report THE results has THE Full task URL, And SO perform THE not Again And once again.

A fragment of THE hosted JavaScript appears below, And below that, THE resulting task:

const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php'; const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php'; … [871,"https://REDACTED","redacted","60","junkyard","johncena","jew","jakejake","invincible","intern","indira","hawthorn" ,"hawaiian","hannah1","halifax","greyhound","greene","glenda","futbol","fresh","frenchie","flyaway","fleming","fishing1"," finally","ferris","fastball","elisha","dog","desktop","dental","delight","deathrow","ddddddd","cocker","chilly"," chat" , "casey1","carpenter","calimero","calgary","broker","breakout","bootsie","bonito","black123","bismarck","bigtime","belmont" ," barnes","ball","baggins","arrow","alone","alkaline","adrenaline","abbott","987987","3333333","123qwerty","000111"," zxcv1234", "walton", "vaughn", "try again", trent, "thatcher", "templar", "stratus", "status", "sampede", "small", "sin", "silver1", signal","shakespeare","selene","scheisse","sayonara","santacruz","sanity","rover","roswell","reverse","redbird","poppop","pompon" ,"pollux","pokerface","passions","papers","option","olympus","oliver1","notorious","nothing1","norris","nicole1","necromancer"," unnamed","mysterio","my life","muslim","monkey12","mitsubishi"]

With 418 password batches as of Tuesday, Sinegoubko has concluded THE attackers are trying 41,800 Passwords against each target site.

Sinegoubko wrote:

Attack steps And life cycle

THE attack consists of five key steps that allow A bad actor has leverage Already compromise websites has launch distributed bully force attacks against thousands of other potential victim sites.

Scene 1: Get URL of WordPress sites. THE attackers either crawl THE the Internet themselves Or to use miscellaneous research engines And data base has get lists of target WordPress sites. Scene 2: Extract author usernames. Attackers SO analysis THE target sites, extraction real usernames of authors that job on those areas. Scene 3: Inject malicious scripts. Attackers SO inject their dynamic-linx[.]com/chx.js scenario has websites that they to have Already compromise. Scene 4: Bully force credentials. As normal site visitors open infected the Web pages, THE malicious scenario East charge. Behind THE scenes, THE visitors' browsers to drive A distributed bully force tackle...