A sophisticated traffic direction system known as Help TDS has been weaponizing compromised websites since 2017, transforming legitimate sites into gateways for elaborate tech support scams.
The operation specializes in deploying PHP code templates that redirect unsuspecting visitors to fraudulent Microsoft Windows security alert pages designed to deceive users into believing their systems are compromised.
The malicious infrastructure operates through a distinctive URL pattern using “/help/?d{14}” redirects, with examples including domains like gadbets[.]site/help/?29511696874942 and radiant.growsier[.]shop/help/?30721707351057.
These redirects lead victims to sophisticated scam pages that employ full-screen browser manipulation and exit prevention techniques, effectively trapping users within fabricated security warnings that mimic legitimate Microsoft alerts.
Help TDS has evolved into a comprehensive malware-as-a-service platform, providing standardized PHP injection templates and fully-featured malicious WordPress plugins to criminal affiliates.
The operation’s reach extends across multiple monetization channels, including dating, cryptocurrency, and sweepstakes scams for traffic that doesn’t meet tech support scam criteria.
GoDaddy researchers identified that the system has infected over 10,000 WordPress sites worldwide, with the malicious “woocommerce_inputs” plugin serving as the primary infection vector.
The campaign’s technical sophistication becomes evident through its integration with established malware operations, including DollyWay and Balada Injector.
.webp "Help TDS Weaponize Legitimate Sites' PHP Code Templates With Fake Microsoft Windows Security Alert Pages 3")
After the disruption of the LosPollos affiliate network, Help TDS positioned itself as the dominant monetization platform, utilizing a Telegram channel called “trafficredirect” for distributing fresh redirect domains alongside fallback infrastructure through pinkfels[.]shop servers.
Advanced Plugin Evolution and Persistence Mechanisms
The malicious woocommerce_inputs plugin represents the pinnacle of Help TDS’s technical evolution, progressing through multiple versions with increasingly sophisticated capabilities.
.webp "Help TDS Weaponize Legitimate Sites' PHP Code Templates With Fake Microsoft Windows Security Alert Pages 4")
Version 1.4 introduced advanced traffic filtering mechanisms, creating database tables such as “wp_ip_tracking” to monitor visitor IP addresses and prevent multiple redirections.
The malware implements temporal evasion by avoiding redirects on Sundays, geographic targeting focusing on USA, Canada, and Japan, and device filtering that exclusively targets desktop computers while ignoring mobile traffic.
The plugin’s persistence strategy involves delayed activation, waiting 24 hours post-installation before initiating redirects to obscure the connection between plugin installation and malicious activity.
Cookie management through “redirect” and “partner_” identifiers ensures visitors aren’t redirected multiple times within a 24-hour period, maintaining operational stealth while maximizing victim conversion rates.
Version 2.0.0 introduced autonomous update capabilities through the Help TDS command-and-control infrastructure, enabling dynamic plugin modifications via API endpoints at pinkfels[.]shop/wp-plugin.
The system generates customized plugin versions for each campaign identifier, demonstrating the operation’s sophisticated infrastructure management.
Threat actors gain initial access through stolen WordPress administrator credentials, with server logs revealing swift 22-second attack sequences from login to plugin activation.
The redirect mechanism employs dual JavaScript methods for browser compatibility: window.location.replace("https://cybersecuritynews.com/help-tds-weaponize-legitimate-sites-php-code/$redirectUrl"); window.location.href="https://cybersecuritynews.com/help-tds-weaponize-legitimate-sites-php-code/$redirectUrl"; ensuring reliable traffic redirection regardless of browser security settings.
This technical approach, combined with credential harvesting functionality that exfiltrates WordPress user data bi-weekly, creates a self-perpetuating cycle of compromise where stolen credentials facilitate further infections across the WordPress ecosystem.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
