Vulnerable websites are regularly hijacked to redirect users to malicious domains. The most popular type of of malicious page are Fake AV pages. Attackers commonly increase traffic to these hijacked websites using Blackhat SEO techniques.
Blackhat SEO requires that two different pages be delivered to different audiences:
- A harmless spam page to the Googlebot and security scanners, in order to get references and be ranked well by Google, as well as evade denylists
- A redirection to a malicious domain to attack users
|Found on dailygizmonews.com|
|Found on malaysianaspiration.com|
All of these examples result in the same HTML code, an IFRAME injection pointing to a malicious domain:
Ironically, this malicious code might actually keep user safer. Since it is present on all pages, regardless of the HTTP Referrer, the entire website is flagged as malicious much more quickly by search engines.