0

I have a client with a website that sells a book. When someone clicks a button to purchase the book, a form is supposed to pop up (and does). However, I received a screenshot showing that, when that button is clicked, a security warning from Trend Micro also displays see screenshot

see screenshot.

The URL mentioned in the warning is obviously NOT the same as the website. The website also has valid SSL running on it, too.

I logged into the WordPress Admin and saw no suspicious plugins. I also reached out to GoDaddy (the host) and asked if they could do a server-side scan to find any malicious scripts running, and the person said they found none (though he seemed uninformed regarding this issue).

I'd like to figure out what is triggering this warning as well as how to resolve it and prevent it from happening in the future.

Any ideas?

Kolappan N
  • 2,662
  • 14
  • 26
AnghellicKarma
  • 1
  • `a form is supposed to pop up` . Apparently the script that load the form is doing something out of your expectation. You should check whether the script embed with malicious redirect algorithm. – mootmoot Mar 07 '19 at 12:38

4 Answers4

1

Did you try to intercept any requests that were send to 3rd partys when clicking that button?

Check that websites for Crypto Mining scripts, or better: Open the websites manually and check if your antivirus has problems with it. I think clicking the button may send a quick request to a 3rd party that has these scripts somewhere.

If all of that doesn't work, mark it as a false positive.

user5339049
  • 123
  • 4
1

You should check the website - both the one with the button, and the one the purchase form is loaded from, if they differ - for any suspicious script or iframe sources. One way to do this would be to repro the process - clicking through the warning, if needed - while the browser's developer tools are open and capturing network traffic, and then see if there are any requests to that domain. You could also check the site source, using the browser or something like curl, though that may not help if the malicious script is served innocuously and builds the coin-miner script inject programmatically.

You should also see if you can get it to repro across different browsers, machines, and network connections. It's possible that whoever reported that issue has some malware - either on their local machine (such as a malicious browser plugin) or on some upstream network device (and the user either trusts the upstream device's root CA cert or the page is only partially loaded over HTTPS) - that injects coin-miner scripts into the victim's web pages.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

Try to check the website with https://www.virustotal.com/#/home/url My guess is that the website has a compromised Wordpress plugin, that now are serving a crypto miner malware (from another URL) to the visitors of the website and that's why you are seeing the pop-up notification from the anti virus program.

Kristian Bodeholt
  • 91
  • 4
0

I would advise as a first step going to the site the way typical visitors would - do a Google search that the site will appear in (even if it is a url:yoururl search) and then run through the pages and see if malicious content appears.

A common strategy attackers use is to hide the attack from the administrators of the site, who will generally access the site directly, by looking at the referrer and only injecting the malicious code when the visitor is coming from a search engine.

Wige
  • 101
  • 2