EITest Redirection – Website Redirecting to Fake Tech Support Pages

Updated on

Is your WordPress website redirecting users to fake tech support websites? If yes, your website could be hacked. Such WordPress hacked redirect attacks are quite common where malware redirects visitors of a particular website to unwanted websites, phishing pages, or domains controlled by hackers. Example of this was seen in EITtest malware campaign that redirected users to spammy tech support sites in internet explorer.

We recently noticed that many WordPress websites are redirected to malicious allow-space [.com] domains and then to adaranth [.com] afu.php and then to some legitimate websites.

This hack primarily attacks financial sector websites, including banks, online payment platforms, or other sites with more trafic, and their ultimate goal is redirecting users to their website.

In this article, learn more about how this tech support scam gets users to these domains? And how compromised websites are targeting US users with EITest Redirection hosted on numeric domain names.

Related Posts –

The EITest scam

This scam is named after EITest. It is malicious software that apparently pretends to detect infection in your system and then prompts you to call a technician who can send you remote access through the software. IF you follow the steps, they will let you run the malware which only results in the loss of your money and other valuables.

  • Landing page for the EITest scam (King of Traffic distribution)

Once the visitors called the number mentioned on the landing page, they were asked to install software that remotely controlled the computer.

These scammers are always improving their ‘product’ to make sure it is able to generate as many victims as possible. That is why, if you want to read more about this EITest scam, you should continue visiting essay writing for sale sites, or here on our website. And be aware of what is going on where you are living, especially in the United States of America.

EITest has become the most successful online scam. You will be amazed to see that in just December 2013, the scammers have generated $8 million in revenue through this technique alone.

So, the Etest scam is a fraud that tries to make you believe your computer is infected so that they can take control of it and extort you money. In this essay, I am going to explain what they do to get money from you in an easily comprehensible way.

  • Multiple different redirect mechanisms

The scam used various ways to redirect visitors to malicious websites. Even the infrastructure was different in some cases. This is persistent because there is more than one hacker working behind the scenes. After investigation, four types of additional redirect techniques.

Multiple Website Redirection Mechanisms

A malware redirect is a common form of attack where visitors to the infected website are automatically redirected to phishing sites or malicious websites.

We recently noticed that many WordPress websites are being redirected to malicious domains. Attackers accomplish this by various means and infection sources.

Such redirect attacks are quite common when malware redirects visitors of a particular website to unwanted websites, phishing pages or domains controlled by hackers.

It can bring serious ramifications, such as:

  • It could blacken the image and reputation of your brand as a company.

  • WordPress Malware Redirection Hack can mean a huge loss to traffic obviously as your hard-earned visitors are redirected.

  • Lower traffic, in turn, could result in decreased sales. Therefore, it affects the business.

  • The websites your visitors are redirected to could be launching an illegal product, which could land your website and you in legal drama.

EITest redirection mechanism

This used EITest infected websites to redirect visitors. Websites infected with EITest have the ability to download javascript to the page upon loading. Since 2017, this script works on browsers such as Firefox, Internet Explorer or Edge.

The first thing the script does is check if it is running on a real browser. Once done, it places a cookie named “popunder” and redirects the user to a fake URL.

The decoy domains inserted the resolution to an IP address 204.155.28.5, in a range of King servers. This campaign creates a new domain every day. One can easily identify the pattern which is “/?{6 characters}” existing in the rule. However, the pattern changes more than four times a day.

EITest redirection mechanism

 EITest campaign

The reason they use a certain model and a number of decoy domains is to allow them to go through their Keitaro traffic distribution system. You can easily view the TDS panel with the IP address available on URN/admin.

The purpose of routing queries through their TDS before allowing them to land on the final page is to allow them better control of traffic and allow them to manage multiple campaigns at once.

By querying the fake EITest URL with a user agent accompanied by the MSIE tag, all the TDS had to do was send a 302 redirect to the desired landing page

Crypper Redirection

This method created about sixty-five redirects every hour. The website responsible for these redirects was luyengame.com. Here is the PHP code responsible for the redirects.

Crypper Redirection

  • PHP code responsible for Crypper redirection

First, the PHP hides all errors from the output and identifies the user agent and the visitor’s referrer.

Initially, the code also checks whether the visitor is genuine or not. If it is a bot, the operation ends. It also checks if the visitor is on a mobile device.

If the visitor is not a bot and is not on a mobile device, then they will begin the operation.

Biz Redirection

This campaign creates more than eighteen hundred multiple redirects per hour.

The website responsible for this was myilifestyle.com and www.fertilitychef.com, and they performed 1199 redirects and 1091 redirects respectively.

Biz Redirection

  • PHP code for Biz Redirection

You can identify this scam through the added path to the TSS: “/index/?2171506271081”. This script fetches a different script from hxxp://5.45.67.97/1/jquery.js.php and runs the script. This leads to the following redirection:

Plugin redirect

This redirect generates more than 180 redirects per hour, and the responsive website is Archive-s 54. info. The code of these multiple redirections is hidden thanks to the use of the “reverse string” function.

This makes it harder to detect and understand. By applying the reverse string function to the codes again, all malicious URLs were revealed. They are:

  • hxxp://www.katiatenti.com/wp-content/plugins/sydney-toolbox/inc/

  • hxxp://kodmax.com/wp-content/plugins/twitter-widget-pro/lib/

  • hxxp://stefanialeto.it/wp-content/plugins/flexible-lightbox/css/

  • hxxp://emarketing-immobilier.com/wp-content/plugins/gotmls/safe-load/.

Once you visit these websites, they will set a cookie and begin redirecting visitors to TSS landing pages. Obviously, all four websites are hacked.

Plugin redirect

Location for expert redirect

Some of the websites were redirecting visitors to a TSS domain with the path “/index/?1641501770611”.

Here is the redirect code: After restoring the code to its original format, the redirect is visible: The client queries the URL at hxxp://ads.locationforexpert.com/b.php. The filename in the URL changes often. The remote script then sends the URL for several redirects.

ContainerRU redirect

This campaign creates more than three hundred redirects per hour, and www.cursosortografia.com was one of the main culprits. The hackers hid the code in a fake image with base64 encoding.

ContainerRU redirect

  • ContainerRU redirect cipher code

ContainerRU-redirect-cipher-code 

First, the code checks if the browser is Chrome or Firefox. Under these conditions, the script redirects the visitor to a URL serving the payload. If the browser is Internet Explorer, then the script redirects the user to the URL: hxxp://div-class-container.ru/index5.php which then redirects the user to a TSS page with an HTTP 301. In any way, if the infected domain ends with “edu”, “mil” or “gov”, the script does not redirect the user.

Doorway redirects

To know about gate redirects, we first need to know what gates are. A Doorway script is hidden PHP code that allows hackers to perform black hat SEO modifications by tricking search engine crawlers.

Other redirects

Besides the mentioned redirects, the framework also worked in other ways.

Chrome plugins: Some of the redirects led to fake plugins in the Chrome web store. These plugins generated traffic due to heavy infections and multiple redirects. The main server is owned by Roi777 and was responsible for all traffic.

Android apps: Domains in this framework also served some Android apps. Once the payload is downloaded, the application will contact another domain. Apps have the ability to redirect users to malicious ads and TSS.

Encrypted code for deploying backdoors in websites

After decoding the code and analyzing it, it was found that the PHP script is querying hxxp://kost8med.org/get.php with the current visitor’s user agent. With this method, it gets the IP address and the page. So the page owner can inject any content into the page as they want and use them as the redirect site.

Encrypted code for deploying backdoors in websites

Decoded script for inserting backdoors

The most notable thing is that the domain kost8med.org resolves to 162.244.35.30, which is owned by Roi777. The second part of the code had a function that executed each request in the “c” field of the POST parameter if the “p” parameter also had the correct password.

The password in “p” has been hashed twice before comparing it with the set password hardcoded with the MD5 hash. In WordPress, this backdoor is usually present in the following files:

  1. wp-config.php

  2. index.php

  3. wp-blog-header.php

  4. Footer.php.

Infection vector

Most of the time, the malicious code was in the footer.php file of a plugin named Genesis in WordPress. This plugin was already considered vulnerable since 2016.

However, most of the other plugins were exploited through various means such as brute-forcing and other compromised plugins.

Final Analysis – Website Redirecting to Fake Tech Support Pages

The domain roi777.com is one of the few websites to generate thousands of dollars in a very short time. This is such a system that does not require investment and requires no complicated effort.

To protect the infrastructure against changes, they applied a key that is simply hashed with MD5 which was the domain name with “ropl”.
By analyzing the traffic obtained, it became clear that the request made by IP 89.108.105.13 was excluded. It was probably the IP address of a server that controls the doors and the infrastructure.

Analyzing the many requests to backend servers, there were GET requests in the traffic, which was interesting. The format of the requests was in such format: hxxps://xxx.com/tech_supportv2.php?update_domain=<Tech support Scam domain>. If you changed the setting under the “update domain” to a safe domain, you might get all the traffic.

Although the method of the scam suggests that there are several actors behind it, however, the repeated mention of Roi777 makes it a central figure in the scam.

The majority of scripts contact roi777.com/domain.php to get the latest domains. Roi777 also has its own website that showcases some traffic-generating success stories.

Use of fraudulent domains

Domains with TLD.TK change over a hundred times a day. In thirty days, more than twenty-nine of these domains were registered. The most common IPs are:

  • 35% of them resolve to 204.155.28.5 (King Servers)

  • 30% of them resolve to 185.159.83.47 (King Servers)

  • 5% of them resolve to 54.36.151.52 (OVH)

PHP backdoors

Several bots were reporting to the server owned by Roi777. Altogether more than fifteen hundred infected websites were reported to him. Websites reporting to the services had two types of backdoors.

The type of CMS involved was:

PHP-backdoor

Fixing EITest Redirection Hack with WP Hacked Help

All the actors behind the pseudonym Roi777 are trying to get maximum traffic by distributing malicious codes and applications. By simply infecting unsuspecting visitors with compromised plugins and extensions, they put them at risk of earning more money.

They are still active and redirect traffic for monetary gains.

The EITest Redirection was entirely responsible for this campaign and is still taking advantage of backdoors even after the main server IP addresses were revealed. Without a website security service, these scripts cannot be removed. Services like WP Hacked Help can get rid of all malicious content on the website and protect it from all external threats including harmful plugins and PHP codes.

If your website is infected with Crypto malware website infection that redirects users to malicious sites check our detailed blog post on how to remove crypto-mining malware

If your WordPress is redirecting to malicious advertising websites or it redirects to malicious pages contact our team of security experts to fix hacked wordpress site.