• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Globo.com redirecting users to Spam ads

May 19, 2013David Dede

FacebookTwitterSubscribe

Globo.com, one of the largest Brazilian web portals (ranked #107 on Alexa and #6 for Brazilian traffic) appears to be compromised and all visits to it are being redirected to a sub page inside pagesinxt.com. If you go to g1.globo.com (or any other of their sub domains), you will end up on a page full of ads about Hosting, Internet and fake email products:

Globo.com redirection

That redirection has been going for a few hours at least and we detected it for the first time around 8am EST and it is still live four hours later (noon EST).

What is going on?

We are investigating, but at the bottom of any page inside google.com there is a script being loaded from sawpf.com:

<script defer src="httx://sawpf.com/1.0.js"></script>

That javascript file is being very slow to load, but when it does, it runs the following code:

 window.location = httx://pagesinxt.com/?dn=sawpf.com&fp=3WBUwymfgey…

Which forces the browser to redirect the to pagesinxt.com. At this point, we recommend all users to do not visit any globo.com page (or go there with Javascript disabled).

Who really owns your site?

This brings up a good topic that we brought up before. Who really owns your site? Every time you include a javascript (or widget or iframe), the security of your site becomes dependent on that third party server. It doesn’t looks like Globo in itself got compromised, but since they are including code from sawpf.com, they are only as secure as them.

Every time you add a remote JavaScript (or widget or iFrame) to your site, you are giving the server that houses that code full control of what is displayed to your users. If their servers get compromised, your site will be compromised as well.

Can you imagine if the author of the Easing Plugin was malicious? Instead of just that pop-up, they could have added a URL redirect to send all your users to any site they of their choosing (SPAM, porn, you name it). What if their server was hacked? The attackers could have added malware and it would have loaded to all your users.

*update 1: Lots of users on Twitter are complaining about it as well. Search for sawpf or pagesinxt to see the amount of people complaining or worried about it.

*update 2: If you click on some urls inside sawpf.com, you will be redirected to pagesinxt.com as well ( for example: httx://sawpf.com/libs/jquery/1.7.1.js )

FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, Redirects

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. fhferreira

    May 19, 2013

    Great Text

  2. Curt

    May 19, 2013

    I noted this last night at 11pm CST (USA) May 18th, 2013
    Thank you very much for sharing Sucuri, much appreciated.

  3. yepi 6

    May 24, 2013

    I’m very interested in that information, and will wait for the next information about it. thank you for the information you post.

  4. Y8 Games

    June 3, 2013

    spam ads is very common in the web, finding it and take it off

  5. nx8

    June 4, 2013

    Thanks for sharing this.

  6. yepi

    June 19, 2013

    Thanks for giving me the useful information

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.