Tag-cloud-generator com script redirects to parked domains

  • August 31, 2015
Labs Note

Today we found a few websites that loaded strange code from tag-cloud-generator[.]com.

Sites tried load several image and font files from this site, but they all returned 404 Not Found. The only live file that they loaded was hxxp://www.tag-cloud-generator[.]com/js/fx2.js or it’s pseudo-localized copies like hxxp://www.tag-cloud-generator[.]com/NL/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/EN/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/FR/js/fx2.js, etc.

The fx2.js files has an encrypted script that loads (randomly) one of the following scripts:

hxxp://www.tag-cLoud-generator[.]com/b01.js
hxxp://www.tag-cLoud-generator[.]com/b02.js
hxxp://www.tag-cLoud-generator[.]com/b03.js
hxxp://www.tag-cLoud-generator[.]com/b04.js

And those scripts in turn, redirect visitors to one of the following parked domains with ads:

www.rusoen[.]com
www.askinz[.]com
www.ad-u.com
www.kinkyfirehouse[.]com

Using code like this:

JavaScriptRedirectURL="http://www.ad-u[.]com/";window.top.location.href=JavaScriptRedirectURL;

All these domains, including tag-cloud-generator[.]com are registered in China. If you ever used tag-cloud-generator, make sure to remove it from your site. We will share more information if we find anything new.

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like