KEY FINDING: 1,300+ trusted domains compromised
The NordVPN analysis revealed that cybercriminals compromised more than 1,300 web domains and used them to spread malware, fake shops, phishing pages, and other scams. Many of these domains belong to trusted organizations, including government and public institutions, big companies, and businesses in critical sectors.
Why this campaign deserves attention
Most people expect malicious activity to come from suspicious websites, unknown senders, or obviously fake pages. Attackers exploit that assumption by hijacking legitimate domains with established reputations. That’s what makes this campaign so dangerous. Instead of building trust from scratch, cybercriminals exploit trust that users and search engines already place in credible websites.
When a malicious link comes from a respected domain, it looks convincing. When scam content appears on a familiar site, users have few reasons to question it. That false sense of legitimacy makes the threat hard to spot before damage is done.
Trusted domains can also slip past technical defenses. Security tools often allow traffic from reputable websites, which gives attackers more room to deliver malware, redirects, or scam content without immediate detection.
For businesses, the risk is serious. If a trusted domain is poorly maintained or relies on outdated tools, attackers can compromise it and use it as a launch point for malicious activity.
To make things worse, the campaign is part of a wider scam ecosystem. Our Threat Intelligence team linked the abuse of outdated website tools to scam activity that also includes fake shopping platforms and advance-fee crypto scams.
Across these scams, the strategy remains the same — attackers keep finding ways to weaponize trust, whether that trust comes from a respected domain, a familiar storefront, or a platform that appears established and safe. That’s what I find most dangerous about this campaign.
The old flaw behind a current campaign
Old web editors, plugins, and site tools don’t always disappear when support ends. They often remain buried in long-running websites, legacy systems, or abandoned content management system (CMS) add-ons.
The investigation pinpointed FCKeditor as a central part of the campaign. FCKeditor is a web editor that developers phased out in 2010, and it no longer receives support. Attackers exploited a known vulnerability in the tool, identified as CVE-2009-2265.
The flaw lets attackers upload files to a server and execute malicious code on it. In practical terms, a weak point in an outdated content tool can give attackers remote access to part of a website.
Why outdated plugins stay dangerous for years
Website owners often focus on the parts of a site that visitors can see. They update the homepage, refresh the design, or add new content. Hidden software components don’t always get the same attention. That oversight creates risk.
Older websites, especially those built on widely used CMS platforms such as WordPress or Drupal, can accumulate outdated plugins, abandoned tools, and unsupported extensions over time. If administrators don’t remove or replace those components, the website may still expose vulnerabilities that attackers already know how to exploit.
A vulnerability doesn’t stop being valuable to attackers just because it’s old. It stops being useful only when it’s patched, removed, or isolated.
Attackers don’t need a brand-new zero-day vulnerability to cause damage. Sometimes, a flaw that is more than 15 years old is enough.
How the attack works
The campaign described by NordVPN’s Threat Intelligence team follows a clear sequence. Attackers first identify legitimate websites that still run the outdated FCKeditor component. They then exploit that flaw to upload a file to the server and run malicious code there.
Next, they spread links through email, social media, messaging apps, and search engine tactics such as SEO poisoning. A person may click what looks like a normal link and land on a trusted but compromised website.
PRO TIP
To learn how to spot suspicious pages before you click, read our guide on how to identify fake or scam websites.
When a user lands on the compromised website, the malicious file checks the user’s environment before deciding what happens next. The analysis found that it can inspect screen resolution and keyboard language settings. It also checks the user agent, which reveals the user’s browser, device, and operating system.
Attackers use that information to decide which scam to show each user. One person may be redirected to a fake investment page. Another may be sent to a fake shopping website.
The compromised site doesn’t usually host the final scam page. Instead, the legitimate site acts as a launchpad and sends the user to a separate malicious domain that hosts the fake page.
This tailored approach makes the scam feel more believable and shows that the campaign is carefully planned, not random. The attackers aren’t sending the same page to everyone — they are matching the scam to the user.
It’s a global campaign, not a local anomaly
The campaign was not limited to one region. Activity was most heavily observed in the United States, across Europe, and in China.
That range matters because it shows scale and intent. Attackers are not testing isolated targets in one market. They are using a global playbook designed to reach large user bases, trusted brands, and high-value institutions across regions.
Different languages, hosting environments, and legal systems add complexity. Effective defense requires regular maintenance, close monitoring, and sharing threat information across borders and industries.
Why you should care
Many people assume they can spot a scam by looking for bad grammar, strange URLs, or poor design. That approach is no longer enough when the attack begins on a legitimate domain.
What website owners need to do now
If you manage a website, this campaign should act as a warning. Cyber hygiene is not only about stopping the newest threats. It also means removing old risks before attackers turn them into a new entry point.
I’d recommend focusing on these priorities:
- Audit every plugin, extension, and embedded tool. Look beyond the main CMS version. Review every add-on, editor, upload module, and admin tool connected to the site.
- Remove unsupported software immediately. If a component has reached the end of its life and no longer receives updates, it shouldn’t remain active on a production website.
- Patch known vulnerabilities. When a vulnerability receives a published CVE, it becomes public knowledge. Defenders can patch it, but attackers can also use that same information to target unpatched systems.
What is CVE?
CVE stands for Common Vulnerabilities and Exposures. It’s a public identifier for a security flaw that has already been discovered.
- Review allowlisting assumptions. Trusted domains can be abused after compromise. Security teams shouldn’t rely only on reputation-based rules or static allowlists.
- Monitor for unusual redirects and file uploads. Unexpected upload activity, hidden scripts, and strange redirect behavior can all point to compromise.
- Reassess legacy websites. Old sites often remain online long after teams stop actively maintaining them. Those properties deserve special attention because they often contain the oldest and weakest components.
What users can do to stay safer
Users can’t patch a compromised website, but they can take steps to avoid scam pages, phishing attempts, and malicious downloads. I’d suggest a few practical habits:
- Be cautious with links received through email, text, or messaging apps, as well as unfamiliar or unexpected links that appear in search results.
- Treat urgent shopping offers and investment promises with skepticism.
- Watch for redirect chains that move you across several domains.
- Avoid downloading files from pages you didn’t intend to visit.
- Use real-time web protection, such as Threat Protection Pro™, to block malicious websites before they load.
That last step is especially important when attackers abuse legitimate domains because traditional warning signs may appear too late. Real-time protection gives users a better chance to stop the attack before a phishing page opens or a malicious download starts.
Don’t wait for old vulnerabilities to cause new damage.
Protect yourself with the NordVPN app
TL;DR: A flaw doesn’t expire with age
The main lesson from this campaign is simple — old vulnerabilities still matter when the software behind them remains online. Attackers don’t care whether a flaw came from last week or 15 years ago. If the software still runs, the exploit can still work.
Unsupported tools and unpatched components can help attackers redirect users, spread scams, and avoid detection. Regular software audits, patching, and real-time protection against malicious websites can help reduce that risk.
Methodology
To investigate the campaign, NordVPN’s Threat Intelligence team worked with TechRadar and used open-source intelligence (OSINT). OSINT is a method of gathering and verifying information from publicly available sources.
The team combined advanced search queries with specialized internet indexing tools to map the scale of the activity and confirm which domains had actually been compromised.
That process included the use of search-engine dorks, which are precise search strings that help researchers surface exposed files, pages, or configurations as well as platforms such as Fofa and Shodan, which index internet-facing services and devices.
Disclaimer: The trademarks referenced are for illustrative purposes only. NordVPN is not affiliated with, sponsored by, or endorsed by the owners of those trademarks.
