Targets are clearly on the backs of online forums where hackers inject additional code and try to steal anything they can get their hands on.
Attackers steal Google traffic from the forums and exploit this traffic via ads. Their main targets right now appear to be forums based on the vBulletin software.
Professional hackers have very discreet working methods. They hide their code deeply within the system and ensure their redirections don’t attract much attention. Only users who visit forum pages for the first time via a search engine such as Google end up redirected to an url123.info URL. This site initially displays a strange blocking alert (“Access denied”) followed by some arbitrary text and then loads a full-page ad by InfinityAds.
The ads are probably a direct source of income for the intruders even though each ad is only worth a few pennies. However, as some forum operators have reported their traffic has dropped by more than 70 percent, the overall yield is likely to be considerable.
Forum owners and regular forum users who access the pages directly never encounter the redirection. Neither will those who try to reproduce the issue by repeatedly clicking through to the forum via Google, because a cookie already exists for the page. One way of reliably reproducing the redirection is to carry out a search with a browser in private or anonymous mode.
The German Typo3 forum is among the forums currently affected. The precise cause remains unclear. Various contributors suspect a connection to vbSEO – a search engine optimization extension. This extension ended up compromised in a way that allowed attackers to install malicious plug-ins via the forum administrator’s account. In their FAQs, the vbSEO developers provided a tool for testing vBulletin installations.