Malware Redirection Incident Report

Activity Overview

In this lab, I acted as a cybersecurity analyst investigating a security incident affecting the website yummyrecipesforme.com. Visitors were being redirected to a malicious site and prompted to download malware. My job was to analyze network traffic, identify the type of attack, and recommend solutions. tcpdump log .

Using tcpdump, I analyzed the packet logs to trace how the connection between users and the website was being hijacked. This helped me determine the exact sequence of events and assess the threat posed by a brute force attack combined with a redirection via malicious JavaScript code.

Scenario Summary

A former employee used a brute force attack to gain access to the admin panel of the company website. They modified the source code to embed JavaScript that prompted visitors to download an executable file. Once run, the malware redirected users to a malicious clone of the site.

Multiple users reported their devices slowing down after the download. Upon investigation, the following network activity was observed:

1. DNS request to yummyrecipesforme.com
2. HTTP request to the correct IP and download of the executable
3. Redirection via a new DNS query to greatrecipesforme.com
4. Browser sent to malicious content on the fake site

Attack Type Identified

The primary attack vector in this incident was a brute force attack used to gain unauthorized admin access. Following the compromise, a malware injection via JavaScript allowed the attacker to redirect users and deploy malicious payloads.

Impact on the Website

• Legitimate users unknowingly downloaded malware, endangering their systems.
• Customer trust was compromised due to security flaws.
• The website was redirected to a malicious domain, spreading the attack further.

Recommended Security Measures

• Immediately reset all admin credentials and remove default passwords from use.
• Implement two-factor authentication (2FA) for all admin accounts.
• Install brute-force detection tools to block repeated login attempts.
• Conduct routine vulnerability scans and code reviews to detect injected scripts.

Conclusion

This investigation provided valuable experience in analyzing real-world network traffic, identifying protocol misuse, and mitigating web-based brute force attacks.

← Back to Portfolio