MosQUito: Has the jQuery Malicious Exploit Attacked Your Website?

By Rich Kahn, May 19, 2016

You have a successful blog, or at least you’re working on making it a successful blog. You’ve put blood, sweat, and tears into selecting the perfect template, ideal color scheme, and a font that is clean and crisp with a bit of personality. This blog represents you or your company, so I hate to be the bearer of bad news: you’re vulnerable, and could be losing a percentage of your paid and organic website traffic to fraudsters.

Do I have your attention now? Good.

A new malicious exploit has been discovered quietly lurking in the backend code of your content management system. It has the ability to redirect your traffic, meaning that while visitors are trying to navigate through your website, this exploit will take the user elsewhere. It’s a nuance that is fairly annoying to the site visitor, can get you blacklisted by ad networks or advertisers, and is downright dangerous for third-party traffic scoring solutions.

To understand why this happens, it’s best to understand how it works.

What Is This Code?

The malicious code is called MosQUito, and to the untrained eye, it looks just like another piece of code on your website. See, jQuery is a widely used, tightly written form of JavaScript code. In short, JavaScript requires many lines of code to accomplish a task. jQuery can ‘wrap’ that code in a method that can reduce the length of the code down to a single line. It basically allows you to ‘write less and do more.’

If you’re running a site that includes jQuery, it is very normal to see the JavaScript file ‘jQuery.min.js’ included on your site and that is not a problem. Where malicious code has gotten crafty is with the .js. They’ve masked themselves with a script called ‘jQuery.min.php.’ If this is in your site’s code, this is bad.

How_to_spot_the_malicious_mosquito.jpg

jQuery.min.php is a malicious JavaScript code which has been found lurking on website code. At first glance, it appears to be a simple wrap around a traditional jQuery, but it’s not. It hides just above the tag and can overtake your website by stealing visitors and directing them to websites other than your own.

It’s difficult to get rid of permanently. Just when you think you’ve eradicated it, it could easily come back later.

How Do I Know If I'm Infected?

As of April 2016, over 41.6 million websites use jQuery in their records. More than one fifth of all websites are based on WordPress, which loads jQuery. The main attacks of this threat are to WordPress and Joomla users, so if you are either, you’ll need to review:

  • Google Search Console. Check for changes in your search rankings or impressions. If you find radical changes in your ranking or impressions, like losing or gaining traffic, it may be more of a Google Penguin or Panda update than a jQuery issue. This jQuery issue goes undetected as your ranking will barely change, or you’ll see a negligible impact, and your results will look comparable to prior months of traffic.
  • Google Analytics. Does the traffic volume here match that of the Search Console? The Search Console shouldn’t show more traffic than Google Analytics, especially in regards to organic traffic.
  • Site Speed. Has your site gotten slower recently? MosQUito will significantly slow down a site’s speed, or possibly cause the site to stop loading altogether.
  • Search Your Site in Incognito Mode. Check the queries where you rank well and test your sites. When you do, click around like an organic user. If you find yourself being redirected once or more and landing on something other than what you intended, you’re likely infected.
If you’re more advanced and familiar with code, you can scrub your code and look for anything unnatural. Here, you’ll see that jquery.min.php appears in thecode, but can appear anywhere on a website.
 
script_image.png

Lastly, you can check this static list as our company has already identified over 10,000 of these websites which were infected and, at the time of this report, blocked by our ad fraud filter.

What Should I Do If I Suspect I'm Infected?

First and foremost, if you suspect you’ve be infected, you’ll want to contact your hosting company to ensure the issue you’re seeing is not part of a bigger problem. Plus, if you’re not incredibly tech savvy, your hosting company can help you identify and isolate potential issues on your website that need to be remediated.

Identify and Delete All Files Containing Malicious Script.

If you’re not well-versed on the backend code, or afraid you’ll ‘break’ something, contact your content management provider for assistance.

Perform Updates on Your CMS and Extensions.

It’s tempting to ignore the updates to your CMS and website extensions, but don’t. These updates often take care of known issues and protect your website. Along with checking to make sure you’re running the most updated version of your CMS, don’t forget any extensions, plugins, or add-ons you’re running. Those should also be consistently evaluated to keep your site secure.

For WordPress users, this can be identified on the ‘At a Glance’ panel of your Dashboard.

dashboard_wordpress_running_cvcard_theme.png
 
Joomla users can identify their version type on the backend of their website by clicking ‘Information’, then ‘System Info.’
 
system_info_joomial_version.png
 
Source: Joomla
 
A full log of updates with each version can be found here for WordPress sites and here for Joomla sites. Once you’ve updated your content management system to the most current version, go back through your code to see if jQuery.min.php still exists.
 
If MosQUito remains, contact your provider immediately and alert them to your infection. If MosQUito is gone, you’re nearly in the clear. Check back several days later to ensure you have not been reinfected. If you find yourself free of the MosQUito exploit, but then it returns, your content management system is not yet protecting you though their recent version update.

Review Your Admin Status.

Many compromised WordPress sites were found to have the admin user names such as ‘backup,’ ‘dpr19,’ and ‘loginfelix.’ If these are found, revoke admin access. Generally, as good practice, there is rarely a need for more than one person to have admin status. If you have several, protect yourself by assigning one ‘admin’ and replacing the others with more restricted roles, if any role at all.

Change Your Passwords.

Simply stated, all passwords impacting your site (e.g. your CMS, any extensions, third-party applications, etc.) need to be changed. Remember, they’ve breached your website and likely can get back in, unless they no longer have the key.

Remember MosQUito appears in your backend code, so unless you completely break it off and eradicate it completely, it has the ability to continue to infect your website.

Get Ongoing Protection.

Site checkers like Malwarebytes Anti-Malware and Sucuri Malware and Security Scanner can help alert you to issues before they have a larger impact on your website.

While finding the malicious MosQUito code on your website can be concerning, it’s not fatal and your website can come back from this threat. Follow the recommended steps to rectify the malicious code, use a malware scanner regularly, and keep a watchful eye on what your Google Search Console tells you versus your Google Analytics. Continuous attention to threats that could affect your website will keep not only your site protected, but others as well.

Tags: Ad Fraud

Rich Kahn

Rich Kahn

Rich Kahn is the Founder and CEO of eZanga.com, a digital advertising firm focused on pay per click and pay per call advertising, and digital ad quality through ad fraud traffic management. He has more than 23 years of global experience in internet technology, digital advertising, and ad fraud management, and is often revered for his implementation of fraud elimination techniques and client growth. Previously, Rich founded his own internet service provider, First Street Corporation and co-founded Paid for Surf, an advertising software company, before joining the pay per click advertising network AdOrigin as its COO. Rich has held management roles at Verizon Wireless and Bloomberg. More Articles by Rich Kahn