Hero Banner

Joomla Development Insights

Joomla Development Insights

John is the owner and senior developer of Blue Bridge.

Fake Social Links Silently Deliver Malware to Joomla Users

Fake Social Links Silently Deliver Malware to Joomla Users

Malware Bytes researchers have identified a new pattern in attacks on Joomla sites. Compromised sites have a link injected in them that appears to load social sharing buttons, but actually delivers malware to users' computers using the Angler exploit kit. In this blog post, we'll look at how the attack works, what makes it unique, and how to check whether your site is affected.

How the Attack Works

1) A Joomla site has to be compromised by hackers in order to implement the attack. This is typically done by attacking a Joomla installation that is not up to date and has known vulnerabilities or by guessing the administrator password.

Jerome Segura of Malware Bytes noted, "If you are a website owner, it is critical that you maintain your platform up-to-date to avoid being used as a springboard for malware. All cases we saw with this campaign were sites that were outdated and breached via automated attacks."

2) After compromising a site, hackers inject a JavaScript resource link to what appears to be a social link button site. This can be accomplished in a variety of ways, but the simplest way is to alter the template index.php file on the hacked Joomla site. The JavaScript source looks like a legitimate site using the domain name "social-button.site". A Joomla developer or webmaster might see this domain name and mistakenly thinks that it is a resource like "Share This" (sharethis.com) or "Add This" (addthis.com). This is because these kinds of sites enable developers and website owners to easily add social share functionality to a website by displaying popular social icons that allow visitors to like or share a page on that network (e.g. Twitter or Facebook links.)

3) When a visitor arrives on the hacked Joomla site, their browser will silently load the JavaScript resource in the background. However, what is delivered is not any sort of social sharing functionality but a redirection to an Angler exploit kit. Exploit kits are tools that target browsers and user applications and make it easier for a hacker to assess for vulnerabilities in user applications and compromise them. If the exploit kit detects a website visitor with a vulnerable computer, it initiates an attack and subverts it. In this way, hackers use the Joomla site as a rung on a ladder that ends up delivering malware to site users.

4) In the example, the Malware Bytes researchers listed the effect of the attack as delivering malware that initiated ad fraud where compromised visitor computers are used to manipulate online advertisement impressions and clicks. The goal of this is typically to either run up the ad costs of competitors or to make it appear as if certain advertising campaigns are doing better than they actually are. However, this is just one of a variety of possible nasty effects that a visitor who is hacked through the Joomla site might experience.

Noteworthy Aspects of This Attack

This attack is noteworthy for a couple of reasons:

The compromised Joomla site doesn't have any unusual symptoms. Hackers are not placing code on the actual site, just a JavaScript call that is quite normal for websites. Because of this, this vector of attack will likely not be discovered using a file scanner like the one used by Admin Tools or any sort of pattern matching that similar tools use. In most cases, the scanner will have to look for the exact match of a domain name delivering this attack in order to detect it. Having now been exposed, it's very likely that permutations of this attack will be used in the future and those domain names must also be identified by the scanner as well.

To make things even trickier, when a concerned Joomla developer or site owner loads up the resource listed in the JavaScript call, they will find a normal JavaScript file. This is because the hacker server hosting the JavaScript file checks the HTTP referrer and if it is not the hacked Joomla site, it returns what looks like a valid resource. It only will deliver the malicious JavaScript redirect to the Angler EK if the referrer is a compromised site.

As you can see, this is a very sneaky way to sabotage a Joomla site in order to harm to its users.

How to Check Whether Your Joomla Site is Compromised

Checking to see whether a Joomla site you own or manage been hacked and is executing this attack on visitors is fairly straightforward. All you need to do is check your network traffic for a JavaScript reference to a domain named "social-button.site" using developer tools for Chrome, Firefox, or Opera. As I noted above though, there will likely be permutations of this attack so if you are experiencing similar symptoms to this attack any unfamiliar domain name should be viewed with suspicion until you can verify that it is a legitimate resource.

If you discover your site has been compromised, it's worth reviewing the article posted by Malware Bytes, Fake Social Button Plug-In Redirects to Angler EK, for more information. Additionally, our guide on How to Fix a Hacked Joomla Site is a good resource to get started in recovering from this attack.

How to Protect *Your* Computer Against These Attacks

This kind of attack is being executed not only on Joomla sites, but WordPress sites as well. At some point in using the Internet, you are likely to come across a compromised site that is trying to implement a similar attack. The best defense is to have up-to-date software and common security applications installed (antivirus, firewall, etc.) There are several popular vendors for this type of software in a simple web search will provide you with lots of options (including Malware Bytes.)

Should I Upgrade to Joomla 3.7?
Why a Slow Joomla Site Is a Sign You're Hacked

Related Posts

In Depth Articles

Joomla Developer Hiring Guide

How to Fix Hacked Joomla

Speed Up Joomla