Malicious Redirects from Tweet Counter

Malicious Redirects from Tweet Counter

When Twitter announced their new design for “Tweet” and “Follow” buttons back in October 2015, marketers across the web developed a mild anxiety—the new design came with a decision to nuke their beloved Tweet count feature.

Social signals can be a huge credibility indicator for visitors and site content. Who doesn’t think there’s a psychological relationship between the number of social shares and the credibility of a content piece? It’s social validation, plain and simple.

Naturally, bloggers and website owners with an aversion to change started looking for alternative solutions that offered the same feature. What they likely didn’t consider was any security implications that might come along with using a third party service.

Queue New Share Counts, a now-defunct service that allowed users to continue displaying the number of tweets on a specific URL on their social sharing apps and web pages.

A Simple Service for Tweet Counting

Marketers breathed a sigh of relief when easy-to-use services started popping up to offer Twitter share counts, and New Share Counts quickly gained traction. It even integrated with other existing social share plugins like SumoMe, AddThis, and Shareaholic.

Setting up New Share Counts on a site was simple:

  1. Navigate to newsharecounts[.]com (this site no longer works)
  2. Link your Twitter account and website
  3. Add the following snippet to the bottom of every page you wanted to track shares from:
<script type="text/javascript" src="//newsharecounts.s3-us-west-2.amazonaws[.]com/nsc.js"></script><script type="text/javascript">window.newShareCountsAuto="smart";</script>

WordPress Forums Report New Share Counts Dead

Three months ago, users on the community forums reported that newsharecounts[.]com was dead. Users suggested that the service had folded and would no longer be operational. A number of threads opened up in response to the situation, and community members offered alternative endpoint solutions.

During the months of August and September, the domain showed the following message on the homepage:

New Share Counts Dead
Screenshot from

Malicious Redirects from Rogue Script

During a recent remediation investigation, our Remediation Team Lead Ben Martin noticed malicious redirects being served by websites using the New Share Counts service.

The original Amazon AWS script (hxxp://newsharecounts.s3-us-west-2.amazonaws[.]com/nsc.js) still worked, but now served the following code:

New Share Counts Malicious Code

Once decoded, this script contains absolutely no reference to Twitter or New Share Count. Instead, this snippet of code adds 10 fake browser history entries for the same page. An interesting feature of these history entries is that it prevents a user from choosing the previous page from the back button.

When the user loads the page, a malicious event handler is added. This handler waits until the user taps the “Back” button on their device or tries to navigate to a previous page. It then fires an event, which causes the browser to open to the following destination:

m.richalsu[.]mobi/?utm_medium=0e0597838a322711594e7fff060c21106f1795d8&utm_campaign=a-back-2&1= It then directs the user to a scam page, instead of returning to the previous page.

This behavior is only seen on Android, iOS, and mobile devices—and only under the condition that the user has tapped the “Back” button in their browser. Users on other devices won’t notice anything suspicious, except for maybe the lack of Twitter share counts that would exist if the original New Share Count script actually functioned.

At this point, we can only speculate what happened to the service. It’s possible that it was sold to a third party, or perhaps abandoned and compromised.

Scope & Mitigation: Key Takeaways

At the time of writing, 800+ sites use this script. That’s over 800 sites (some of which are fairly popular) who simply wanted to show off their social signals, and are now instead maliciously redirecting their mobile traffic.

Loading third-party scripts and elements on your website always opens up the risk of unwanted content being served on your site without consent, especially when they come from an expired or unmaintained service.

We encourage marketers and developers to consider all third-party components on their site. Take a moment to identify if any of them are deprecated or no longer supported. Noticed you’re using an unsupported service? Get rid of the offender ASAP!

If you’re currently using New Share Counts’ tweet counter, we strongly recommend that you remove the script from your site. You can replace it with another actively maintained and supported service.

Sites that have been compromised can refer to our hacked website guide or reach out to us for a hand with clean up.

You May Also Like