Inside The Ongoing CloudFront Auto Redirect Attack
Auto-redirects are a growing pestilence- a dangerous vehicle for malvertising that seizes users and reroutes them. GeoEdge’s Security Team has uncovered an ongoing attack, that is estimated to have begun around May 29th.
This report highlights one type of attack in which users are thrown or ‘redirected’ to an undesired landing page without their consent, prompting undesired downloads into the users’ machine/device.
In this specific case, we are looking at a jQuery script that is received from their own server store in CloudFront– https://d36q37f47aiusg.cloudfront.net/js/jquery.min.js
Amazon’s CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally.
Here you can see the code that initiates the script, look into the first line:
Full code can be found here- https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js
Unlike previous cases in which attackers use jQuery for auto-redirect attacks, this time, the attacker is not modifying the script itself but initiating another request for a script called qycqeck.js.
The server is armed with cloaking services in order to hide the ‘offensive’ script from researchers. The script contains fingerprinting methods to identify the client’s device. In this case, the client specifies the attacker’s conditions, and a third request is generated to an Amazon S3 server in order to initiate the auto-redirect attack.
Lastly, below are some examples of the landing pages the users are being ‘thrown’ to: