urlscan.io logo urlscan.io
SecurityTrails logo

blog.sucuri.net Open in urlscan Pro
2a02:fe80:1010::5  Public Scan

Back to summary
URL: https://blog.sucuri.net/2024/10/indonesian-gambling-redirect-hiding-in-plain-sight.html
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_16422227 Search All
Submission: On October 31 via api from GB — Scanned from GB

Form analysis 2 forms found in the DOM

GET https://blog.sucuri.net/

<form role="search" method="get" class="search-form" action="https://blog.sucuri.net/"> <label class="sr-only">Search for:</label>
  <div class="cs-input-group"> <input type="search" value="" name="s" data-swplive="true" data-swpengine="default" data-swpconfig="default" class="search-field" placeholder="Search the blog" required="" autocomplete="off"
      aria-owns="searchwp_live_search_results_6723aadfe00e2" aria-autocomplete="both"
      aria-label="When autocomplete results are available use up and down arrows to review and enter to go to the desired page. Touch device users, explore by touch or with swipe gestures."> <button type="submit" class="search-submit">Search</button>
  </div>
</form>

GET https://blog.sucuri.net/

<form role="search" method="get" class="search-form" action="https://blog.sucuri.net/"> <label class="sr-only">Search for:</label>
  <div class="cs-input-group"> <input type="search" value="" name="s" data-swplive="true" data-swpengine="default" data-swpconfig="default" class="search-field" placeholder="Search the blog" required="" autocomplete="off"
      aria-owns="searchwp_live_search_results_6723aadf148ed" aria-autocomplete="both"
      aria-label="When autocomplete results are available use up and down arrows to review and enter to go to the desired page. Touch device users, explore by touch or with swipe gestures."> <button type="submit" class="search-submit">Search</button>
  </div>
</form>

Text Content

 * Products
   * Website Security Platform
   * Website Firewall (WAF)
   * Multi-Site plans
   * Custom & Enterprise Plans
   * Partnerships
 * Features
   * Detection
     Website Monitoring & Alerts
   * Protection
     Future Website Hacks
   * Performance
     Speed Up Your Website
   * Response
     Help For Hacked Websites
   * Backups
     Disaster Recovery Plan
 * Resources
   * Guides
   * Webinars
   * Infographics
   * Blog
   * SiteCheck
   * Reports
   * Email Courses
 * Pricing
 * Immediate Help
 * Login

 * Products
   * Website Security Platform
   * Website Firewall (WAF)
   * Multi-Site plans
   * Custom & Enterprise Plans
   * Partnerships
 * Features
   * Detection
     Website Monitoring & Alerts
   * Protection
     Future Website Hacks
   * Performance
     Speed Up Your Website
   * Response
     Help For Hacked Websites
   * Backups
     Disaster Recovery Plan
 * Resources
   * Guides
   * Webinars
   * Infographics
   * Blog
   * SiteCheck
   * Reports
   * Email Courses
 * Pricing
 * Immediate Help
 * Login

 * Immediate Help

Login
Login

New Customer?

Sign up now.
 * Submit a ticket
 * Knowledge base
 * Chat now

Search for:
Search

 * Website Malware Infections
 * WordPress Security


INDONESIAN GAMBLING REDIRECT HIDING IN PLAIN SIGHT

Kayleigh Martin
 * October 30, 2024



Many pieces of malware found over the years have been complex and difficult to
find. Attackers often obfuscate their code to make it harder to track. Some
pieces of malware require extensive reviews to uncover. But in other instances,
that is not always the case. Threat actors find new ways to inject malware to
avoid detection, and in some situations, they hide their malicious code in plain
sight. Recently, I discovered a cleverly disguised malicious redirect, where
attackers leveraged a popular redirect plugin in a WordPress site. By routing
through an intermediary domain, they initiated the redirect process in a way
that evaded detection.

Let’s review this injection more in depth.


REDIRECT SYMPTOMS

A client recently came to us concerned that their site was redirecting to an
Indonesian gambling website, as seen below:



Upon reviewing the symptoms, the infected website took a handful of seconds to
load before the redirect occurred. Additionally, it occurred even with all
javascript disabled, indicating it was not a script injection. The gambling
domain the victim’s website redirected to was surfatech-tis[.]com. However, I
came up empty handed when searching for this domain in the files and database.
How could this be? In other samples found in the past, redirects like this that
cannot be found by searching the domain via plain text are usually obfuscated in
some fashion. More extensive reviews were performed and yet, I still came up
short. Another tactic I decided to employ was to look at the recently modified
files. That is when I stumbled upon a plugin called 301 redirects, which was
added 2 days prior to my search. I decided to look at the redirects added in
that plugin which revealed the malicious redirect chain.


UNCOVERING THE REDIRECT VIA A POPULAR REDIRECT PLUGIN

The 301 redirect plugin is a popular, verified tool that’s legitimately used in
most cases. However, I decided to take a closer look inside to be sure. Inside
the 301 redirect plugin was the domain uad.uinfasbengkulu[.]ac[.]id. Initially,
I didn’t think this was the cause of the malicious redirect, until I remembered
that the domain extension, .id, is an Indonesian based extension. Not only was
the client’s site not based in Indonesia, redirects to Indonesian gambling sites
are a common tactic attackers use when exploiting vulnerable sites.

Sure enough, after loading the domain uad.uinfasbengkulu[.]ac[.]id through
https://urlscan.io, a sandbox testing site, it landed on surfatech-tis[.]com,
which was the domain our client’s website was redirecting to. The attackers
likely accessed the victim’s site through a vulnerability or compromised
WordPress admin account, then proceeded to insert the intermediary domain in the
redirect plugin after installing it.


MORAL OF THE STORY

To wrap up this case, we can conclude that not all malware relies on heavy
obfuscation. Threat actors are constantly evolving, and developing new waves of
infections. Some of these tactics include hiding malicious content in plain
sight, through a popular verified plugin as seen above. This means that even
seemingly harmless elements on a site can carry hidden risks. It is crucial that
WordPress site owners take every possible step to protect their sites and stay
vigilant against potential threats. Mitigation steps to better protect a
WordPress site can be found below.


MITIGATION STEPS

To mitigate risk, there are a number of steps you can take to protect your
website from serving malware to your clients:

 1. Keep your plugins, themes, and website software up-to-date: Always patch to
    the latest version to help mitigate risk known software vulnerabilities.
    Website visitors should be sure to keep their browser and operating system
    up to date as well.
 2. Enforce unique passwords for all of your accounts: That includes credentials
    for sFTP, database, cPanel, and WordPress admin users.
 3. Remove WordPress admin users no longer in use: That includes credentials for
    sFTP, database, cPanel, and admin users.
 4. Periodically check WordPress admin users in your dashboard: Ensure that you
    recognize all WordPress admin users in your dashboard and remove any that
    are unrecognizable.
 5. Review installed plugins: Check that all plugins are ones that have been
    installed by you or your developer.
 6. Regularly scan for backdoors and malware: That means scanning at the server
    and client level to identify any malicious injections, SEO spam, or
    backdoors that may be lurking on your site.
 7. Monitor your logs for indicators of compromise: Regularly check for unusual
    or suspicious behavior and consider using a file integrity monitoring system
    on your website.
 8. Get a web application firewall (WAF): Firewalls can help mitigate bad bots,
    prevent brute force attacks, and detect attacks in your environment, which
    are features the Sucuri firewall provides.

And if you believe your site has been compromised or injected with malicious
scripts, we can help! Reach out to our support team for assistance and we can
get the malware cleaned up for you.

KAYLEIGH MARTIN

Kayleigh Martin is a Security Analyst at Sucuri who joined the company in 2020.
Kayleigh's job is to clean infected websites and hunt for undetected malware.
She has a versatile technical background working with infected websites,
investigating server issues, and troubleshooting broken sites. When Kayleigh
isn't hunting for undetected malware, she might be spending time with her
family, exploring beaches, or cooking new cuisines.

RELATED TAGS

 * Malware,
 * Redirects,
 * WordPress Security

RELATED CATEGORIES

 * Website Malware Infections
 * WordPress Security

YOU MAY ALSO LIKE

 * Sucuri Labs
 * Website Malware Infections
 * Website Security


WEB SHELL DOWNLOADER – SIMPLE ATTEMPT TO AVOID DETECTION

 * Yuliyan Tsvetkov
 * December 29, 2016

When dealing with compromised scenarios, our team has to be very thorough to
remove all pieces of malware in the infected website. Most of the…
Read the Post
 * Sucuri Labs
 * Website Security
 * WordPress Security


SQL TRIGGERS IN WEBSITE BACKDOORS

 * Luke Leal
 * February 25, 2021

Over the past year, there’s been an increasing trend of WordPress malware using
SQL triggers to hide malicious SQL queries within hacked databases. These
queries…
Read the Post
 * Web Pros
 * Website Security
 * WordPress Security


WP-CLI: HOW TO CONNECT TO WORDPRESS VIA SSH

 * Rianna MacLeod
 * April 25, 2023

The WordPress admin dashboard, though intuitive and feature-rich, can be
time-consuming to explore. If you’re looking for a more direct approach to
website management, consider…
Read the Post
 * Ecommerce Security
 * Website Malware Infections
 * WordPress Security


MAGECART WORDPRESS PLUGIN INJECTS MALICIOUS USER & CREDIT CARD SKIMMER

 * Ben Martin
 * December 21, 2023

One of our analysts recently found an interesting malicious plugin injected into
a WordPress / WooCommerce ecommerce website which both creates and conceals a
bogus…
Read the Post
 * Ecommerce Security
 * Website Malware Infections
 * WordPress Security


WOO SKIMMER USES STYLE TAGS AND IMAGE EXTENSION TO STEAL CARD DETAILS

 * Ben Martin
 * September 12, 2024

This post starts the same way many others do on this blog, and it will be
familiar to those who keep up with website security:…
Read the Post
 * Security Advisory
 * Security Education
 * WordPress Security


WORDPRESS VULNERABILITY & PATCH ROUNDUP AUGUST 2024

 * Sucuri Malware Research Team
 * August 30, 2024

Vulnerability reports and responsible disclosures are essential for website
security awareness and education. Automated attacks targeting known software
vulnerabilities are one of the leading causes…
Read the Post
 * Security Education
 * Web Pros
 * Website Security
 * WordPress Security


7 TIPS FOR PROTECTING YOUR WEBSITE

 * Art Martori
 * March 2, 2020

For many people, website security is an intimidating topic. It seems like
there’s an endless list of things necessary for protecting your website. And
while…
Read the Post
 * Security Education
 * Website Malware Infections
 * Website Security


2023 HACKED WEBSITE & MALWARE THREAT REPORT

 * Rianna MacLeod
 * June 12, 2024

Education is essential for defending your website against emerging threats.
That’s why we are thrilled to share our 2023 Hacked Website & Malware Threat
Report.…
Read the Post
 * Website Malware Infections
 * WordPress Security


CLOUDFLARE[.]SOLUTIONS KEYLOGGER ON THOUSANDS OF INFECTED WORDPRESS SITES

 * Denis Sinegubko
 * December 6, 2017

Update Dec. 8 2017: The cloudflare[.]solutions domain has now been taken down. A
few weeks ago, we wrote about a massive WordPress infection that injected an…
Read the Post
 * Security Education
 * Website Malware Infections
 * Website Security
 * WordPress Security


WORDPRESS CONTINUES TO FALL VICTIM TO CARDING ATTACKS

 * Ben Martin
 * April 14, 2021

Unsurprisingly, as WordPress continues to increase in popularity as
an e-commerce platform, attackers continue to attempt to steal credit card
information from unsuspecting clients. Currently, the WordPress
plugin WooCommerce accounts for roughly a quarter of all…
Read the Post

SEARCH

Search for:
Search






Let’s Connect


Products
Website Firewall Website Security Platform WordPress Security Website Backups
Hack Assistance Pricing
Solutions
DDoS Protection Malware Detection Malware Removal Malware Prevention Blacklist
Removal SEO Spam Removal
USE CASES
Developers Ecommerce Agency Plans Enterprise Services HTTPS/2 Virtual Patching
Support
Knowledge Base SiteCheck Guides Research Labs Report Abuse Status Report
Company
About Sucuri Contact Blog Referral Partners Testimonials
Terms of Use Privacy Policy Do Not Sell My Personal Information Frequently Asked
Questions

© 2024 GoDaddy Mediatemple, Inc., d/b/a Sucuri. All rights reserved.



back to top

X

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to
deliver the best possible service and customer experience.

Accept Decline Manage Options