14 DAY TRIAL // Security researchers warn that websites hosted at Go Daddy are currently targeted in mass injection attacks, that add rogue code to their pages and direct visitors to scareware.
It seems that this particular gang of hackers has its mind set on Go Daddy, because this is the third wave of attacks in recent weeks affecting websites hosted by the company.
"As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy," researchers from Web integrity monitoring vendor Sucuri Security warn.
The compromised websites get base64-encoded code added to all of their php files. When parsed, this code injects rogue JavaScript content into the resulting page.
In addition to hitting Go Daddy, these attackers launched similar campaigns against other hosting companies on around October 21.
Many of the external domains used in the attacks are registered under the name of Hilary Kneber, an alias associated with many cybercriminal operations, including the notorious ZeuS banking trojan.
The malicious JavaScript code forces visitors' browsers to load additional scripts from external domains, which in turn redirects them to pages displaying fake antivirus scans and pushing scareware.
Scareware is a term referring to rogue applications, that pose as antivirus programs and display bogus security alerts in an attempt to convince users to acquire licenses.
Despite these attacks beginning over the weekend, some of the rogue domains are still up and serving scareware.
A sample we obtained had never been scanned on VirusTotal before and is currently detected by 16 out of 43 antivirus engines using signatures.
Sucuri has created a free clean-up script, which affected webmasters can download and execute, in order to remove the rogue code from affected files.
The file can be obtained from here, must be renamed to .php, uploaded to the Web server and accessed in a browser.