Fake DDoS protection system actually sends users to an EK

Feb 10, 2016 10:06 GMT  ·  By

In an attempt to bring user awareness down, malware distributors are sneakily showing fake CloudFlare DDoS protection screens before actually redirecting users to dangerous Web pages harboring all kinds of nasty viruses.

Detected for the first time by Jérôme Segura, senior security researcher at Malwarebytes, this tactic is part of a large cybercrime campaign that leverages the Nuclear EK (exploit kit).

In recent days, criminals using this exploit kit have been very active, especially via a campaign that leverages infected WordPress sites to redirect users to the Nuclear EK (exploit kit), which later delivers malware, and more recently even ransomware.

CloudFlare DDoS check screen used to legitimize malicious websites

This particular type of Web campaign relies on hijacking the user's browsing path and secretly redirecting them through a series of servers until they land on a Web page that hosts the Nuclear EK. Nuclear uses known security exploits to compromise computers via drive-by downloads and, in the end, infects them with malware.

The role of the multiple Web redirections is for each server to test the incoming "victim" for various exploits and security vulnerabilities. These checks often take time, and sometimes, users may give up on waiting and close the browser's tab.

As Mr. Segura has uncovered, this recent campaign is using a fake CloudFlare DDoS check screen to make users think they are navigating to a legitimate website, which will be worth their wait.

No Ray ID parameter means it's a fake

Unknown to the user is that this CloudFlare DDoS protection page is actually a sham, missing some key visual cues, and secretly running malicious code under the hood.

These fake CloudFlare DDoS checks are easy to spot because they lack an essential ingredient, a parameter called "Ray ID," which is a randomly generated string, unique to each user and website.

Another giveaway sign is for users that employ the NoScript browser extension that blocks dynamic JavaScript execution on Web pages. In this case, the decoy CloudFlare DDoS check will ask users to turn on JavaScript and reload the page, something that CloudFlare never tells users.

Campaign leveraging fake CloudFlare DDoS protection screens
Campaign leveraging fake CloudFlare DDoS protection screens

Photo Gallery (2 Images)

Original CloudFlare DDoS check screen
Campaign leveraging fake CloudFlare DDoS protection screens
Open gallery