Fake social button code on websites attacks visitors via the Angler exploit kit

You won't like this.

Fake social button code on websites attacks visitors via the Angler exploit kit

Researchers have spotted fake social buttons plugins that attackers are using to compromise websites and redirect visitors to the Angler exploit kit.

Jérôme Segura, a senior security researcher for Malwarebytes, has seen everything from malvertising campaigns to mischievous tech support scams.

But new threats are always emerging.

Case in point, in a post on his company’s blog, the researcher writes that the latest Angler infection campaign isn’t your typical redirect from hacked websites running outdated versions of WordPress and Joomla. There isn’t even a direct injection of a landing URL for the exploit kit inside the compromised site’s source code.

Rather, this one uses a domain name used to lure website owners into thinking this is part of social plugins or such widget: socialbutton[.]site. Those buttons typically allow users to ‘Like’ or retweet an article easily from the website they are visiting.”


The infection process proceeds as follows. A malicious actor compromises a website. Instead of injecting an Angler URL into the site’s source code, they inject a malicious JavaScript call along the lines of http://social-button[.]site/analytics.js.

At first glance, a site owner might think they are looking at a social sharing plugin’s JavaScript file. Users who access the file directly will not even trigger the malicious content, and be served up a clean version of the code instead.

It’s when someone pays a visit to the compromised website that the malicious code activates and takes the visitor from one intermediary stop to the next until arriving at their final destination: a landing page for the Angler exploit kit.

Clean vs malicious

In this particular campaign, Angler loads up Bedep, a malware that has the ability to download other types of malware. Who knows? It might decide to begin dropping CryptXXX and other forms of ransomware.

This might be a unique twist on the Angler redirect, but one thing remains the same: attackers compromising outdated websites to prey upon unsuspecting users.

With that in mind, site owners should take extra precautions to make sure their content management systems (CMSs) and websites are up-to-date with the latest patches.

Tags: , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.