GroupGreeting, a popular e-card site, was used to infect thousands of websites with malware this holiday season as part of a widespread cyberattack, Malwarebytes revealed on Thursday.
E-greeting card platforms are used by thousands of major companies to send digital cards to associates and clients each year.
Taking notice, savvy threat actors have taken advantage of the spike in visitor traffic over the holidays and have used these e-card platforms to spread malicious code infecting over 2,800 websites worldwide, in what threat researchers are now referring to as the “zqxq” campaign.
One of those compromised e-card sites is GroupGreeting, a popular digital greeting card platform that claims to be the world’s number-one service enterprises use to deliver the online greetings.
With major brands using the e-card service, including Airbnb, Coca-Cola, and eBay, GroupGreetings has become a “lucrative target” for threat actors who know users are more likely to open links from trusted companies, the Malwarebytes blog said.
“GroupGreeting is used by more than 25,000 businesses and has sent out over 90,000,000 messages of appreciation in 195 countries,” the company website states.
Overall, malicious e-greeting card campaigns have “accounted for 43,106 detections in 2024,” the security researchers said.
Taking advantage of Java Script injection
The 'zqzq' attack takes advantage of trusted websites with high traffic… especially those with a seasonal increase in user interactions,” said Stefan Dasic, manager of research and response at Malwarebytes’ ThreatDown cybersecurity platform.
The malware injection campaign responsible for originally compromising GroupGreeting, known as both “NDSW/NDSX” and “TDS Parrot,” has since been patched, but researchers say the latest ‘zqxq’ campaign “closely mirrors NDSW/NDSX-style malware behavior,” and believe the two are overlapping each other.
Malwarebytes recently uncovered a widespread cyberattack that compromised GroupGreeting, a popular platform used by companies to send digital greeting cards. https://t.co/9wMSpZgI3V
undefined Malwarebytes (@Malwarebytes) January 9, 2025
The cybercriminals are said to be injecting an “obfuscated JavaScript snippet” – designed to blend in with legitimate site files – into the victim’s websites.
Both campaigns have been seen exploiting vulnerabilities in popular CMS platforms, such as WordPress, Joomla, or Magento, as well as outdated plugins.
These pieces of JavaScript code are not approved by the site’s developers and instead get “hidden within themes, plugins, or other critical scripts… using scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis,” Dasic explained.
He noted that, as is typical in large-scale JavaScript injection campaigns, the malware was found capable of carrying out functions such as token generation and redirection, conditional checks and evasion, and remote payload retrieval.
Furthermore, once the malware activates in a user’s browser, it can redirect the victim to external domains that host secondary payloads. These payloads can range from phishing pages designed to steal credentials, to malicious info stealers or ransomware, the research found.
And because the attackers often generate random or “tokenized” URLs, it can be difficult for basic blocklists to keep pace, Dasic said.
“Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur,” he added.
To protect against the 'zqxq' campaign and similar attacks, Malwarebytes recommends that organizations ensure all systems are up to date and patched accordingly. Organizations should also employ automated monitoring to flag any unauthorized file changes and have their users undergo regular security awareness training to understand potential risks.
Your email address will not be published. Required fields are markedmarked