Tech

Wordpress, Joomla domains under attack through jQuery JavaScript library

Abuse of the JavaScript library has led to over 4.5 million recent exposures to infection.

Written by Charlie Osborne, Contributing Writer April 4, 2016 at 3:32 a.m. PT

Hackers are using the jQuery JavaScript library to inject malicious code into millions of Wordpress and Joomla Web domains, researchers say.

According to cybersecurity firm Avast, fake jQuery injections have become a very popular attack of late. In a blog post, the team said a particular attack method which has surged in popularity over the past few months includes the use of a fake jQuery script injected into the head section of websites powered by the Wordpress and Joomla content management systems, leading to a web of infection supported by compromised and malicious domains.

JQuery is a popular JavaScript library which aims to improve and streamline the use of JavaScript across multiple browsers -- a task which often becomes a headache for Web developers to manage quickly and effectively.

When codes are particularly complex, drawing on these kinds of libraries can make the job easier, but in turn, some features in the jQuery library are open to abuse for the purpose of cyberattack campaigns on a large scale.

Security

According to the researchers, fake jQuery scripts have been found in almost 70 million unique files on compromised websites. Since November 2015, a total of 4.5 million users have encountered infected websites due to the "abnormally high" number of compromised domains, researchers say.

The malicious code does not reveal itself to potential victims and website visitors. Instead, the fake jQuery script can only be seen within the website's source code. The script itself is simple, containing only a few variables and one "IF" statement which points to another JavaScript source hosted by a malicious domain.

The threat actors behind this campaign have ensured the code starts with a 10 milliseconds countdown, a common practice in injection types of attacks -- although a longer delay is more typical. The code then uses the "encodeURIComponent" feature, which encodes special characters such as ?, : and @.

"The final condition checks if variables contain necessary values and after evaluation another source for script is inserted," the researchers explained.

Once injected, the code then is used to increase the SEO rank of other domains, which could not only spread the infection further by boosting compromised websites but may make cybercriminals money by pushing up ad-based domains or for kinds of fraud such as fake domains.

The main sources of infection are below.

Webmasters should not only clear their local machines to make sure there are no infections at home but should also perform regular scans on their websites and keep Wordpress and Joomla builds up-to-date to protect themselves as much as possible from online threats.

Last week, researchers revealed that the Magento e-commerce platform has become the latest target for the KimcilWare ransomware. While not sophisticated and built upon code released as an educational tool, the malware is still able to compromise domains and demand payment from webmasters to restore functionality to websites.