• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Malicious Redirects from NewShareCounts.com Tweet Counter

Malicious Redirects from NewShareCounts.com Tweet Counter

October 16, 2018Rianna MacLeodPortugues

FacebookTwitterSubscribe

When Twitter announced their new design for “Tweet” and “Follow” buttons back in October 2015, marketers across the web developed a mild anxiety—the new design came with a decision to nuke their beloved Tweet count feature.

Social signals can be a huge credibility indicator for visitors and site content. Who doesn’t think there’s a psychological relationship between the number of social shares and the credibility of a content piece? It’s social validation, plain and simple.

Naturally, bloggers and website owners with an aversion to change started looking for alternative solutions that offered the same feature. What they likely didn’t consider was any security implications that might come along with using a third party service.

Queue New Share Counts, a now-defunct service that allowed users to continue displaying the number of tweets on a specific URL on their social sharing apps and web pages.

A Simple Service for Tweet Counting

Marketers breathed a sigh of relief when easy-to-use services started popping up to offer Twitter share counts, and New Share Counts quickly gained traction. It even integrated with other existing social share plugins like SumoMe, AddThis, and Shareaholic.

Setting up New Share Counts on a site was simple:

  1. Navigate to newsharecounts[.]com (this site no longer works)
  2. Link your Twitter account and website
  3. Add the following snippet to the bottom of every page you wanted to track shares from:
<script type="text/javascript" src="//newsharecounts.s3-us-west-2.amazonaws[.]com/nsc.js"></script><script type="text/javascript">window.newShareCountsAuto="smart";</script>

WordPress Forums Report New Share Counts Dead

Three months ago, users on the wordpress.org community forums reported that newsharecounts[.]com was dead. Users suggested that the service had folded and would no longer be operational. A number of threads opened up in response to the situation, and community members offered alternative endpoint solutions.

During the months of August and September, the domain showed the following message on the homepage:

New Share Counts Dead
Screenshot from web.archive.org

Malicious Redirects from Rogue Script

During a recent remediation investigation, our Remediation Team Lead Ben Martin noticed malicious redirects being served by websites using the New Share Counts service.

The original Amazon AWS script (hxxp://newsharecounts.s3-us-west-2.amazonaws[.]com/nsc.js) still worked, but now served the following code:

New Share Counts Malicious Code

Once decoded, this script contains absolutely no reference to Twitter or New Share Count. Instead, this snippet of code adds 10 fake browser history entries for the same page. An interesting feature of these history entries is that it prevents a user from choosing the previous page from the back button.

When the user loads the page, a malicious event handler is added. This handler waits until the user taps the “Back” button on their device or tries to navigate to a previous page. It then fires an event, which causes the browser to open to the following destination:

m.richalsu[.]mobi/?utm_medium=0e0597838a322711594e7fff060c21106f1795d8&utm_campaign=a-back-2&1= It then directs the user to a scam page, instead of returning to the previous page.

This behavior is only seen on Android, iOS, and mobile devices—and only under the condition that the user has tapped the “Back” button in their browser. Users on other devices won’t notice anything suspicious, except for maybe the lack of Twitter share counts that would exist if the original New Share Count script actually functioned.

At this point, we can only speculate what happened to the service. It’s possible that it was sold to a third party, or perhaps abandoned and compromised.

Scope & Mitigation: Key Takeaways

At the time of writing, 800+ sites use this script. That’s over 800 sites (some of which are fairly popular) who simply wanted to show off their social signals, and are now instead maliciously redirecting their mobile traffic.

Loading third-party scripts and elements on your website always opens up the risk of unwanted content being served on your site without consent, especially when they come from an expired or unmaintained service.

We encourage marketers and developers to consider all third-party components on their site. Take a moment to identify if any of them are deprecated or no longer supported. Noticed you’re using an unsupported service? Get rid of the offender ASAP!

If you’re currently using New Share Counts’ tweet counter, we strongly recommend that you remove the script from your site. You can replace it with another actively maintained and supported service.

Sites that have been compromised can refer to our hacked website guide or reach out to us for a hand with clean up.

FacebookTwitterSubscribe

Categories: Website SecurityTags: Black Hat Tactics, Hacked Websites, Redirects

About Rianna MacLeod

Rianna MacLeod is Sucuri’s Marketing Manager who joined the company in 2017. Her main responsibilities include ghost-writing technical content, SEO, email, and experimentation. Rianna’s professional experience spans over 10 years of technical writing and marketing. When Rianna isn’t drafting content or building templates, you might encounter her hiking in the forest or enjoying the beach. You can find her on Twitter and LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.