Web developers

Parrot TDS poses an immediate risk to web developers everywhere

Staying up to date with the ever-changing security landscape is essential to maintaining web server security and keeping potential threats at bay.

There are several key threats to web servers that are important to be aware of in order to prevent and mitigate these risks. DoS and DDoS attacks, SQL injections, unpatched software and cross-site scripting, to name a few.

Today, a recent discovery by Avast threat researchers has brought to light an immediate and significant risk to web developers around the world, named Parrot TDS.

What is a TDS?

Traffic direction systems (TDS) are not new. They have been the enemy of web developers for several years. Used as landing pages that direct unsuspecting users to malicious content, TDS serves as a gateway to deliver various malicious campaigns through infected sites.

Many TDSs have reached a high level of sophistication and often allow attackers to set parameters that examine users’ geolocation, browser type, cookies, and the website they came from.

This is used to target victims who meet certain conditions and only show them phishing pages. These settings are usually set so that each user only sees a phishing page once to prevent servers from being overloaded.

TDS Parrot

In February, Avast threat researchers discovered a swarm of attacks using a new traffic-directing system (TDS) to take control of victim devices. The new TDS, named Parrot TDS, has appeared in recent months and has already reached hundreds of thousands of users worldwide, infecting various web servers hosting more than 16,500 websites.

One of the main factors that sets Parrot TDS apart from other TDSs is its spread and the number of potential victims it has. From March 1, 2022 to March 29, 2022, Avast protected more than 600,000 unique users worldwide visiting Parrot TDS infected sites, including more than 11,000 users in the UK During this period, Avast protected the most users in Brazil (73,000) and India (55,000); and over 31,000 unique users in the United States.

In this particular case, the appearance of infected sites is altered by a campaign called FakeUpdate, which uses JavaScript to display fake notifications allowing users to update their browsers, offering an update file for download. The file we observed being delivered to victims is a remote access tool called NetSupport Manager which is misused by attackers to give them full access to victims’ computers.

Parrot TDS also creates a backdoor on infected web servers in the form of a PHP script to serve as a backup option for the attacker.

FakeUpdate

Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. The scan checks which antivirus product is on the device to determine whether or not to display the phishing message.

The distributed tool is configured in such a way that the user is very unlikely to notice it and if the file displayed by FakeUpdate is executed by the victim, the attackers gain full access to their computer.

Researchers have observed other phishing sites hosted on Parrot TDS infected sites, but cannot conclusively link them to Parrot TDS.

CMS websites

We believe attackers are exploiting the web servers of poorly secured content management systems, such as WordPress and Joomla sites, by logging into accounts with weak credentials to gain administrator access to the servers.

WordPress has a long history of being a very rich and desirable target for exploits. This is because the software is based on running a series of PHP scripts, which is a popular place for hackers. The large number of components, including plugins, themes, and other scripts, makes it difficult to prevent infections or potential compromises.

On top of that, many WordPress websites are running older versions which could cause multiple major releases, leading to unpatched security vulnerabilities. Additionally, some administrators are inexperienced in IT operational security or simply overloaded with other responsibilities and cannot dedicate enough time to implementing the necessary security measures to keep a WordPress site secure.

How developers can protect their servers

Nevertheless, web developers can take some steps to protect their servers from these attacks, starting by simply scanning all files on the web server with an antivirus program. Other steps developers can take include:

– Replace all JavaScript and PHP files on the web server with original files
– Use the latest version of the CMS
– Use the latest versions of installed plugins
– Check auto-running tasks on webserver (e.g. cron jobs)
– Verify and configure secure credentials and use unique credentials for each service
– Check administrator accounts on the server, making sure each one is owned by developers and has strong passwords
– If applicable, configure 2FA for all web server administrator accounts
– Use available security plugins (WordPress, Joomla)

How Site Visitors Can Avoid Being Phished

For site visitors, it’s more important than ever to be vigilant online. If a visited site looks different from what they expect, visitors should exit the site and not download files or enter any information.

Likewise, visitors should only download updates directly from browser settings and never through other channels.