Security experts have warned site owners that want to add social media share buttons to their web pages that hackers are hiding FlashPack malware in legitimate looking website add-ons.
FlashPack is an exploit kit which delivers various Flash exploits including one which targets a Flash vulnerability (CVE-2014-0497) which was patched back in February.
It’ll also download the Carberp information-stealing trojan to open a backdoor on the victim’s machine, according to Trend Micro fraud researcher, Joseph Chen.
“This particular add-on is used by site owners who want to add social media sharing buttons on their sites. All the site owner would have to do is add several lines of JavaScript code to their site’s design template. This code is freely available from the website of the add-on,” Chen explained in a blog post.
The fact that the add-on requires a JavaScript file to be loaded should be a warning to website owners, he added.
“It means that the site owner is loading scripts from an external server not under their control,” said Chen.
“It’s one thing if it loads scripts on trusted sites like Google, Facebook, or other well-known names; it’s another thing to load scripts on little-known servers with no name to protect.”
On certain sites, the script in question will redirect users to the FlashPack script, delivering the various exploits.
At the moment, Trend Micro has observed the campaign mainly focused on Japanese users.
Around 87% of victims, or 66,000 users, hail from the land of the rising sun, with the US (3.22%) a distant second.
The landing pages of the exploit kit are apparently hosted in the Czech Republic, the Netherlands and Russia.
“How can users and site owners prevent these attacks? Site owners should be very cautious about adding add-ons to their site that rely on externally hosted scripts,” warned Chen.
“As shown in this attack, they are trivial to use in malicious activities. In addition, they can slow the site down as well. Alternatives that host the script on the same server as the site itself are preferable.”
He also advised end users to ensure they are always fully up-to-date with software patches, and recommended turning on auto-updates for Flash.