Webutation Distributing Malware Through Safety Badge

  • July 16, 2015

If you are using the Webutation badge on your site, remove it now. It appears they got hacked and are distributing malware to mobile devices through redirects hidden within the badge’s code.

We were analyzing a website that was compromised and redirecting visitors to bogus apps on the Apple App Store and the Google Play Store. The website looked clean, but the redirect kept happening for mobile users. Upon further inspection, we found out that the Webutation safety badge was responsible for the redirect.

The file load_badge.js – which is used to generate the badge – has some additional JavaScript from jquaryr[.]com that is only displayed for mobile user agents. That code from jquaryr (obviously an intentional typo of jQuery) forces a page reload, which then pushes the user to the bogus apps. This is dangerous because visitors rely on security badges to confirm the credibility and security of the website they are visiting. This is the first time we have seen one hacked in this way to distribute malware and malicious redirects.

webutation-badge

Security Badge Causing Mobile Redirects

This is what the badge code looks like for mobile users:

mobile-webutation

You can see the last 2 lines added causing the redirect:

webutation-redirect

That opens up the popOL.php URL that loads an affiliate URL from mobitrk.com, which them pushes to the bogus apps:

webutation-3

Difficult to Diagnose

The malware also uses a cookie to prevent multiple redirects on the same browser, making it hard for webmasters to detect the problem.

Again, if you are using Webutation, remove the badge from your site now, at least until they get the issue fixed. We will continue to monitor the issue and provide updates when we know more.

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags
2 comments

  1. Just a thought Krasimir,
    What if the bug is intentional by Webutation itself. They are yet to report or make a notification on the bug themselves to users.

    1. Thanks for the comment. This could be intentional but we can’t confirm it at this time. We assume their website must have been compromised.

Comments are closed.

Related Categories
You May Also Like