When breaking the law isn’t a barrier, there’s always a way to make a quick buck. We see it every day, and this time from an Indonesian cybercrime campaign infecting vulnerable websites by luring their visitors to a network of scam websites using blockbuster movies.

The attack part I: Recruiting the botnet

As we’ve seen in many other web attacks, the attackers use a botnet of hijacked websites to carry out the attack. While the hijacking attempts didn’t take place on Imperva protected sites and thus didn’t show up on our radar, our conclusion is drawn from the fact that in most cases the attacks originated from hosting servers, except for a few attacks from IP addresses belonging to an Indonesian ISP (see “why Indonesia”). Moreover, a sample examination showed many benign websites in the IP addresses from which the attack campaign originated. This approach is very popular with web attackers that want to distance themselves from the attack, erasing their tracks and making the task of tracing the origin of the attack significantly harder.

The attack part II: From innocent website to honeypot network

To build their honeypot network the attackers had to combine three components. The first is the recruited botnet. The second is a bug in the WordPress API, exposing WordPress websites to defacement attacks.

The vulnerability allows attackers to deface websites using WordPress by abusing a bug in its API. Example of such an attack:



Although the vulnerability was fixed in version 4.7.3 of WordPress, the attackers are relying on the fact that many site owners do not regularly update their applications, and remain in old and vulnerable versions. This is also known as the notorious A9 rule in OWASP Top 10 – Using Known Vulnerable Components.

Knowing that web admins struggle to keep up with the patching race, requiring them to update their website every time a new vulnerability is discovered in any of the components in their sites; attackers continue to rely on a significant portion of websites failing to keep up with “the patching race” and expose themselves to old attacks.

The attackers didn’t make a significant effort to prevent web defenders from characterizing the attack and used simple client impersonation by using two popular user-agent headers in the attack attempts.



Once the defacement is done, HTML code is pushed to the victim’s website. The HTML code is rendered to something similar to the following:



When a visitor to the victim site follows the link, they play into the attacker’s hands and enter their site. This is where things get sticky.

The attack part III: Your *ss is mine

The victim is now in the attacker’s site. He’s seeing what the attackers want him to see (and thus exposing himself to all sort of phishing attacks), executes attacker’s javascript code in his browser (which can lead him to variety of threats, like CSRF and “volunteering” to mine crypto-coins) and in general, despite of the protection of the browser sandbox, he’s in the attacker’s hands.

Another, more implicit implication of the fake links is SEO sync – the attacker’s site is likely to win SEO upgrade due to their link from the victim site, where the victim site might experience an SEO downgrade for linking to a shady site.

The plot then splits into two branches. In the first branch, the victim is redirected to shady websites through what seems like affiliate links. In this post, however, we’re going to ignore this branch and focus on the more popular one; where visitors are “invited” to a fake “movie viewing” page, typically for blockbuster movies like these :



Later we analyzed the stats of the films, but not before “playing the victim” a little while longer. Attempts to play the movie start with a few seconds of video play, then opens a pop-up, asking the visitor to sign-up or login:



Intrigued to see whether the website even allowed us to log in, we tried to use the login form in the pop-up message. We got the following message:



This message was displayed without loading any resources, which means that the failed login notification was given without the username and password being sent to the server for verification. Looking at the source code, we found the following Javascript (jQuery enriched) code:



Meaning that clicking the login button simply does a 3.5-second delay, then displays the “Wrong Username or Password” message… shame on you… what a waste of “good” credentials.



The attack part IV: Show me the money

If visitors attempt to sign-up for a “free account,” they are redirected to shady websites running what seems to be some sort of a pay-per-lead affiliate advertising, some more legit and others less so. Some led to PayPal payment options which on Google search showed scam complaints from users who actually paid. Others lead to a Dutch site innocuously named usenet.nl, claiming to be a company in San Marino; and, according to Alexa.com, has 25% of its visitors coming from Angola, others from India, China, and Indonesia (Don’t worry, we’ll be back with the Indonesian connection later on). A Google search for usenet.nl brings ads of a shady service and a dozen links to people warning that this service is part of a scam. In other cases, we were led to the filenugget service, which has a similar reputation.

Attack origin: The Indonesian connection

Attacks originated mainly from shared hosting environments with a large number of CPanel installations, although we can’t say for sure that this is the reason. We did see a small part of the attacks coming from non-hosting networks – an Indonesian mobile provider.

We believe that the campaign can be attributed to an Indonesian group for a few reasons:

Most of the IP addresses used for the attack are from what seems to be compromised websites. The exception to the rule includes IP addresses belonging to an Indonesian ISP – PT Telkom Indonesia, which can be the result of careless attackers testing their systems in the home site and mounting the attacks remotely. In the source code of the websites being promoted, we found one of the stylings referring to a green button with the command:

“$(“b.hejo”).text(“Watch”);” The class “hejo” seems to refer to a green text. The word hejo in Sundanese means “Green”.

Of course, this is not a bulletproof indication that this group is Indonesian, and if time allowed, we could have conducted a more intensive investigation on the location of the attackers.

Blockbuster competition

Here are the top 20 films we’ve seen in the attack:



While the list clearly favors action films, the most popular ones are those targeting minors. We pulled age ratings from https://www.commonsensemedia.org/ and divided the films into 3 categories: small children (up to 9+), children (10-14), and teenagers (14-16) + adults.





Our immediate conclusion was that the attackers are relying on minors’ ignorance when it comes to cybersecurity, to target households. Assuming that many young people tend to be less cautious and are more likely to follow a malicious link than their parents. However, since most of the attacks led to the victims accessing their PayPal accounts, or asked to enter their credit card details, this theory doesn’t seem to hold that much water. Still, there are a few reasons you might want to use family movies:

The campaign ends in a pay-per-lead – bringing victims to the sites regardless of whether they are minors or adults. This theory fits with what we know about the industrialization of attacks and separation of roles, with one cybercrime entity being responsible for the task of bringing people in, and the other focusing on converting of victims to profit. Some of the paths led to the installation of browser extensions, attack scenarios which exploit the ignorance of young internet users. However, we didn’t find a correlation between the movie genres and the eventual attack path they led to. The attackers could also have just picked a list of random blockbusters without looking at the genres. This theory goes along with the spray and pray approach we’re seeing for many attack campaigns on websites and public APIs. In many cases, parents are eager to please their ever-demanding children and will ignore red lights along the way.

Protecting yourself from these types of campaigns

In this story, we’ve seen several types of victims.

The botnet – websites that were hijacked through unknown remote code execution attack. The defacement victims – websites that were vulnerable to the defacement attack, had bait implanted in them and exposed their users to malicious attacks.

While there is a significant difference in the risks posed by RCE and Defacement attacks, the origins of both attacks are similar, and so is the mitigation. For both, the site admins are required to overcome the notorious OWASP A9 (Using components with known vulnerabilities), either by patching their website software when relevant components are found to be vulnerable or by using external protection like a good web application firewall (WAF).

Finally, the end-victims and their families; when browsing the internet, it is not enough that you are cautious and familiar with phishing scams and other “goodies” coming from the web. It’s important to educate your entire family including minors about the risks and warning signs, especially since internet users are getting younger every year.