Double hidden style – Hiding spam

Labs Note

We see many tricks that hackers use to make search engine bots think that the injected spam is not hidden. One of the common approaches is to place a spam block inside a div with some particular id or class and then add a JavaScript call to make that div invisible.

And the newest form of the unlocked iphone spam injection, tried something new (that also made us smile). It uses elementary school level math to make spammy a div id and the id in JavaScript to look different.

Here\’s the typical code:

<div id="232">...spammy content here...</div><script>document.getElementById (116*2) .style.display='none';</script>

The idea is simple: malware generates a random number (e.g. n) and then doubles that number and uses the result as the spam div id. And in the JavaScript code, they use the same multiplication operation verbatim as the getElementById(n*2) function parameter, which works because JavaScript implicitly converts numbers to strings.

You May Also Like