Today we found a few websites that loaded strange code from tag-cloud-generator[.]com.
Sites tried load several image and font files from this site, but they all returned 404 Not Found. The only live file that they loaded was hxxp://www.tag-cloud-generator[.]com/js/fx2.js or it’s pseudo-localized copies like hxxp://www.tag-cloud-generator[.]com/NL/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/EN/js/fx2.js, hxxp://www.tag-cloud-generator[.]com/FR/js/fx2.js, etc.
The fx2.js files has an encrypted script that loads (randomly) one of the following scripts:
hxxp://www.tag-cLoud-generator[.]com/b01.js
hxxp://www.tag-cLoud-generator[.]com/b02.js
hxxp://www.tag-cLoud-generator[.]com/b03.js
hxxp://www.tag-cLoud-generator[.]com/b04.js
And those scripts in turn, redirect visitors to one of the following parked domains with ads:
www.rusoen[.]com
www.askinz[.]com
www.ad-u.com
www.kinkyfirehouse[.]com
Using code like this:
JavaScriptRedirectURL="http://www.ad-u[.]com/";window.top.location.href=JavaScriptRedirectURL;
All these domains, including tag-cloud-generator[.]com are registered in China. If you ever used tag-cloud-generator, make sure to remove it from your site. We will share more information if we find anything new.