A sophisticated campaign has been uncovered recently by cybersecurity researchers where hackers are exploiting Blogspot links to redirect unsuspecting users to malicious websites.

This technique, part of the broader “ApateWeb” campaign, demonstrates the evolving tactics employed by cybercriminals to evade detection and compromise user security.

The investigation began when researchers identified suspicious Blogspot links being shared on social media platforms.

These links appeared legitimate due to the use of social media meta tags, which created convincing link previews related to the topics of the posts they were attached to.

Upon closer examination, the researchers discovered that these Blogspot pages contained embedded JavaScript code designed to redirect visitors to malicious domains.

One such domain, altitudehighjackhonorary[.]com, was found to be a central hub for this redirection scheme.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Redirection process

The redirection process involves multiple stages:-

1. Users click on a seemingly harmless Blogspot link.
2. The Blogspot page loads briefly before redirecting to a control domain.
3. The control domain analyzes the user’s device and location.
4. Based on this analysis, users are sent to various malicious destinations.

These destinations included Windows phishing sites, fake VPN installers, and pages serving malware or potentially unwanted programs (PUPs).

To evade detection, the hackers employed several sophisticated techniques:-

1. User agent detection to identify and block known security crawlers.
2. Returning “empty OK” responses to certain requests to appear benign.
3. Utilizing heavily obfuscated JavaScript code from services like jsjiami[.]com.
4. Implementing click-based redirections to bypass automated analysis tools.

The campaign’s infrastructure is extensive, with researchers identifying over 9,500 domains exhibiting similar redirection behavior over a 30-day period.

These domains were primarily hosted on IP ranges associated with AS 39572 (“ADVANCEDHOSTERS-AS”) and AS 7979 (“SERVERS-COM”).

Besides this, thousands of domains returning “empty OK” responses were discovered, many registered through URL Solutions, Inc.

These domains often served as sources for malicious JavaScript loaded by other compromised sites.

By leveraging trusted platforms like Blogspot and employing advanced evasion techniques, the attackers can bypass many traditional security measures.

To protect against such threats, users are advised to:-

1. Exercise caution when clicking on links, even from seemingly trustworthy sources.
2. Use up-to-date security software capable of detecting and blocking malicious redirects.
3. Be wary of unexpected prompts to download software or enter sensitive information.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar