DriveSurge Hijacks Thousands of Sites to Deliver ClickFix and FakeUpdate Malware
What Happened — A malicious traffic‑distribution system (TDS) dubbed “DriveSurge” has been observed redirecting visitors from legitimate, high‑traffic websites to counterfeit “ClickFix” and “FakeUpdate” pages that serve ransomware, banking trojans, and ad‑ware. The operation leverages compromised ad‑network scripts and vulnerable third‑party widgets to inject the TDS into thousands of domains worldwide.
Why It Matters for TPRM —
- Third‑party web assets (ads, analytics, CDN scripts) can become a covert infection vector for your customers and employees.
- The attack bypasses traditional perimeter defenses because the initial request lands on a trusted domain.
- Persistent redirection infrastructure can remain undetected for months, amplifying data‑exfiltration and credential‑theft risk.
Who Is Affected — E‑commerce, media, SaaS platforms, financial services portals, and any organization that embeds third‑party web components.
Recommended Actions —
- Conduct a comprehensive inventory of all third‑party scripts and ad‑network relationships.
- Deploy web‑application firewalls (WAF) with real‑time URL reputation feeds to block known DriveSurge domains.
- Implement strict sub‑resource integrity (SRI) checks for external JavaScript.
- Perform regular integrity scans of hosted pages and monitor DNS traffic for anomalous redirects.
Technical Notes — The DriveSurge TDS exploits a supply‑chain weakness: compromised ad‑network JavaScript injects a client‑side redirect that points to malicious “ClickFix” or “FakeUpdate” landing pages. No public CVE is associated; the vector relies on stolen or hijacked third‑party credentials and mis‑configured ad‑placement policies. Data types at risk include login credentials, payment information, and endpoint binaries. Source: Dark Reading