Delaware, USA – January 23, 2018 – Experts from CSE Cybsec discovered a huge malvertising campaign – EvilTraffic. Adversaries attack WordPress websites exploiting CMS vulnerabilities, and then upload to compromised websites a zip archive with malware, which after unpacking redirects visitors via hitcpm.com to malicious sites generating advertising traffic. The advertising websites contain links to suspicious software or can be used by hackers to steal sensitive information about visitors including credit card information. Experts found over 18 thousand compromised sites with installed malware. According to Alexa’s rating, EvilTraffic’s primary website (hitcpm.com) occupies the 127th position, and the most its victims are redirected from India, the US, Japan, Canada and China. In addition to compromising websites, attackers also distribute malware for browser hijacking via phishing emails, malicious links and compromised sites. The campaign began in late October 2017 and continues to this day. The researchers claim that recently the number of hacked sites has decreased, but this has not affected the effectiveness of EvilTraffic campaign.
To reduce risks of involving your websites in adversaries’ campaigns, you can deploy Web Application Security Framework for ArcSight. This use case allows your SIEM to detect attacks in the early stages and to spot any suspicious activity associated with the company’s web applications.