Webutation Distributing Malware Through Safety Badge

If you are using the Webutation badge on your site, remove it now. It appears they got hacked and are distributing malware to mobile devices through redirects hidden within the badge’s code.

We were analyzing a website that was compromised and redirecting visitors to bogus apps on the Apple App Store and the Google Play Store. The website looked clean, but the redirect kept happening for mobile users. Upon further inspection, we found out that the Webutation safety badge was responsible for the redirect.

The file load_badge.js – which is used to generate the badge – has some additional JavaScript from jquaryr[.]com that is only displayed for mobile user agents. That code from jquaryr (obviously an intentional typo of jQuery) forces a page reload, which then pushes the user to the bogus apps. This is dangerous because visitors rely on security badges to confirm the credibility and security of the website they are visiting. This is the first time we have seen one hacked in this way to distribute malware and malicious redirects.

webutation-badge

Security Badge Causing Mobile Redirects

This is what the badge code looks like for mobile users:

mobile-webutation

You can see the last 2 lines added causing the redirect:

webutation-redirect

That opens up the popOL.php URL that loads an affiliate URL from mobitrk.com, which them pushes to the bogus apps:

webutation-3

Difficult to Diagnose

The malware also uses a cookie to prevent multiple redirects on the same browser, making it hard for webmasters to detect the problem.

Again, if you are using Webutation, remove the badge from your site now, at least until they get the issue fixed. We will continue to monitor the issue and provide updates when we know more.

2 comments
  1. Just a thought Krasimir,
    What if the bug is intentional by Webutation itself. They are yet to report or make a notification on the bug themselves to users.

    1. Thanks for the comment. This could be intentional but we can’t confirm it at this time. We assume their website must have been compromised.

Comments are closed.

You May Also Like