I came across some interesting defacement pages recently and noticed a peculiar JavaScript injection included within each source code of the defaced websites. As shown below, this JavaScript injection was peculiar as it seemingly provided no benefit to the hacker:
<script>
ANCHORFREE_VERSION = "623161526"
<script type='text/javascript'>
var _AF2$ = {
'SN': 'HSSHIELD00TN',
'IP': '69.22.172.11',
'CH': 'HSSCNL000393',
'CT': '0',
'HST': '&sessStartTime=0&SFLAG=1&in=1423962910_84044764|d,1553137850|w,1553137850|m,1553137850|t&out=1423962910_23400718|d,305397307|w,305397307|m,305397307|t&NUM_VID=2&NUM_VID_TS=1423962310&bChrome=40&pv=5&clsBtnCnt=14&fav=8&fvidat=0&fvidv=0&accessLP=1',
'AFH': 'hss306',
'RN': Math.floor(Math.random() * 999),
'TOP': (parent.location != document.location || top.location != document.location) ? 0 : 1,
'AFVER': '3.69',
'fbw': false,
'FBWCNT': 0,
'FBWCNTNAME': 'FBWCNT_CHROME',
'NOFBWNAME': 'NO_FBW_CHROME',
'B': 'c',
'VER': 'nonus'
};
if (_AF2$.TOP == 1) {
document.write("<scr" + "ipt src='http[:]//box.anchorfree.net/insert/insert.php?sn=" + _AF2$.SN + "&ch=" + _AF2$.CH + "&v=" + ANCHORFREE_VERSION + 6 + "&b=" + _AF2$.B + "&ver=" + _AF2$.VER + "&afver=" + _AF2$.AFVER + "' type='text/javascript'></scr" + "ipt>");
}
The injected javascript code contains some details from the client\’s connection to the HotSpot Shield VPN server, then runs a javascript file from box.anchorfree.net
I haven\’t come across this type of content within any other forms of malware – just your typical Hacked by _____, or 0wned by _____ message, or an otherwise unwanted defacement of someone\’s website.
It only took a single Google search to determine that anchorfree.net is associated with the popular HotSpot Shield VPN, which has millions of downloads in the Google Play store alone (they also offer browser plugins for non-mobile users). They offer both a free and a paid version of their VPN service, however in the last year or so there have been demands for federal authorities to investigate them for deceptive practices.
(If you are curious about using a VPN for privacy reasons, or already are using one, then I\’d recommend checking out the official complaint here).
So what does this have to do with hackers and their defacement pages? Well, we know that in the majority of cases, the hacker is wanting to anonymize themselves. Nowadays, that usually involves using at least one VPN or more. Often times, the hackers that focus on defacements are more inexperienced and new, so they may lack the inherent suspicion one has to have when dealing with free services like HotSpot Shield VPN or any other free online services they must monetize to remain in operation. Their form of monetization is to inject JavaScript code into the browser requests of their non-paying clients (unsure about the Premium paid version), which is then used with additional JavaScript from a few different third-party domains:
document.write("<style type='text/css' title='AFc_css"
+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{}.AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+"
:visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;
left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}</style>
<style type='text/css'>.AFhss_dpnone{display:none;width:0;height:0}</style>
<img src=\"about:blank\" id=\"AFhss_trk0\" name=\"AFhss_trk0\"
style=\"display:none\" /><img src=\"about:blank\"id=\"AFhss_trk\"
name=\"AFhss_trk\" style=\"display:none\"/><iframe src=\"http://anchorfree.us/quantcast.php\" style=\"width:0px;height:0px;display:none;\"></iframe>");
Just a small excerpt of the nearly 2,000 line JavaScript text showcasing some of the hidden CSS styling and also the setup of an invisible iFrame, which is a popular method of delivering malicious JavaScript payloads.
As this article isn’t about HotSpot Shield VPN specifically, I won’t go too in depth about it, but suffice it to say this JavaScript code from their controlled domains is using tracking images and injecting advertisements (some of which could be malicious) into their client’s browser.
The purpose of explaining this, was to showcase how even hackers can be victims to one of the biggest hurdles known in website security and that is the human’s ability to override otherwise secure settings. This is most commonly witnessed in a human downloading some type of software – in this case, a free VPN service –unknowingly exposing themselves to malicious or PUP (potentially unwanted programs). Another common method of the human factor failing otherwise secure settings is through social engineering.
In conclusion, one should be suspicious of products advertised as completely free and should try to understand the terms of service (SLA) so they are aware of what they may be giving away or exposed to in exchange for the free service. In these defacement cases, the inexperienced hacker relied upon a free VPN service that was unknowingly injecting JavaScript to his browser and so when they created the defacement page (likely through an online editor or browser interface) it caused the HotSpot Shield VPN JavaScript to get passed as text to the created defacement page rather than executed within the client’s browser as is intended.