Cloud security Wiz discovered a widespread redirection campaign that compromised tens of thousands websites aimed at East Asian audiences to redirect users to adult-themed sites.
Active since at least September 2022, the campaign, dubbed “Redirection Roulette,” has been leveraging legitimate FTP credentials previously obtained by threat actors behind this operation.
In each case, the threat actor has injected malicious code into customer-facing web pages that is designed to collect information about visitors’ environments and occasionally redirect them to these other sites.
The affected websites included sites owned by small companies and multinational corporations.
“They are diverse in terms of their tech stacks and hosting services, making it difficult to pinpoint any specific vulnerability, misconfiguration, or source of leaked credentials this threat actor may be abusing,” the researchers noted.
Once gaining access to the target website, the attackers modified existing web pages by adding a single line of HTML code, in the form of a script tag referencing a remotely hosted JavaScript script. The analysis of relevant FTP logs for many attacks revealed that the threat actor was connecting to these FTP endpoints from a static IP address.
Initially, the JavaScript code was also observed fingerprinting users’ browsers and sending the collected data to an attacker-controlled server, however, since December 2022 this behavior has not been seen.
“Given the nature of the destination websites, we believe the threat actor’s motivations are most likely financial, and perhaps they intend to merely increase traffic to these websites from specific countries and nothing more. However, the impact to the compromised websites and their user experience is equivalent to defacement, and whatever weaknesses this actor is exploiting to gain initial access to these websites could be utilized by other actors to inflict greater harm,” the researchers warned.