Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

At the end of February, we wrote about a massive wave of site infections that pushed fake browser updates.

In the beginning of March, the attack evolved into redirecting site visitors to sketchy ad URLs.


In WordPress, the injected script is typically found at the bottom of footer.php files of the active theme. It still comprises of an "eval(function(p,a,c,k,e,d)...” obfuscated script and Histats code with the same 4214393 ID (which is now found on 1564 sites).

Like in the case of fake browser updates, the injected script receives the redirect links from compromised third-party sites:

...
var sAdsUrl1='hxxps://oshona[.]in/wp-admin/css/colors/blue/r.php';
var sAdsUrl2='hxxp://dailytrip[.]vn/wp-includes/ID3/r.php';
...

These pages return frequently changing URLs in this format:

u=hxxp://sconcerners[.]tk/index/?5731550755135

Depending on the country, IP and the browser, you may be redirected further to pages with a credit card or insurance-related spam (e.g. mashina[.]com or trikotazhkazan[.]ru), or to “You won <X>” scam ads.

The URL structure and the choice of the .tk TLD are typical for attacks that used to actively push tech support scams.

As of this writing, PublicWWW has already found this new variation of the malicious script on almost 700 web sites.