Forum Thread

Root cause of the site hijacking advertisement

47 78 March 22, 2018 at 02:15 AM
I managed to track down the root cause of the rogue ads. I tried to get the rogue ads on Chrome, Firefox, Edge etc on desktop while emulating the iPad Safari's user agent and screen resolution but the rogue ad was too smart. It dodged being loaded in desktop environment to avoid analysis. So I used Safari on iPad with network being proxied to my Windows 10 machine via Fiddler and hooking the iPad's Safari instance up to OS X machine to inspect the DOM via Web Inspector. I then set a Fiddler breakpoint on any url with "us_amazon_amazon500" in the path. Analyzed the script that redirected to this site. Then went from there.

In my case Ithe rogue ad hijacked to redirect to hxxp://rewardyouremployees.top/us_amazon_amazon500. I searched the network trace to figure out how I got routed there.

It turns out there was a javascript payload from hxxp:://cdn-search.com that did the redirect using the following payload:
Link to image: https://imgur.com/a/yQDKj

Next I searched how I got to cdn-search and it turns out there was a 302 redirect done from hxxp://fast-click-ads.com.

I repeated and looked up how I got to fast-clicks-ads and it turns out hxxps://mobads.3rdrockgames.com/ was the culprit. It delivered a document.write() payload which insert a link to fast-click-ads and auto invokes the link after 7000 milliseconds.

The network trail sort of ended here and Fiddler trace couldn't locate how I got to 3rdrockgames. It somehow managed to remove the referer headers as well.. So I went to the Web Inspector on my OS X machine to inspect the DOM. Turns out this originated from the ad section on the bottom of the page. It appears to have come from google. (Or it may have been injected by another rogue script.) I recommend applying iframe sandbox to these ads if possible with same origin and parent level navigation blocked.... Here's the DOM on slickdeals that kicked off the chain reaction.
Link to image: https://imgur.com/a/ntpIU

Hope this is enough info to start shutting these rogue ads down...

If you're a staff on slickdeals and would like more details (e.g. non-truncated urls), just send me a mail.

7 Comments

1

Sign up for a Slickdeals account to remove this ad.

This comment has been rated as unhelpful by Slickdeals users
Joined Jun 2017
L2: Beginner
29 Posts
10 Reputation
Staff
#2
Thanks for sending this over. We've gone ahead and blocked this.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Dec 2004
Community Manager
68,724 Posts
4,766 Reputation
Staff
#3
OP, I want to personally thank you.
This info was/is amazingly detailed and helpful.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined May 2015
L3: Novice
145 Posts
50 Reputation
Staff
#4
Quote from DancingNeko
:
I managed to track down the root cause of the rogue ads. I tried to get the rogue ads on Chrome, Firefox, Edge etc on desktop while emulating the iPad Safari's user agent and screen resolution but the rogue ad was too smart. It dodged being loaded in desktop environment to avoid analysis. So I used Safari on iPad with network being proxied to my Windows 10 machine via Fiddler and hooking the iPad's Safari instance up to OS X machine to inspect the DOM via Web Inspector. I then set a Fiddler breakpoint on any url with "us_amazon_amazon500" in the path. Analyzed the script that redirected to this site. Then went from there.

In my case Ithe rogue ad hijacked to redirect to hxxp://rewardyouremployees.top/us_amazon_amazon500. I searched the network trace to figure out how I got routed there.

It turns out there was a javascript payload from hxxp:://cdn-search.com that did the redirect using the following payload:
Link to image: https://imgur.com/a/yQDKj

Next I searched how I got to cdn-search and it turns out there was a 302 redirect done from hxxp://fast-click-ads.com.

I repeated and looked up how I got to fast-clicks-ads and it turns out hxxps://mobads.3rdrockgames.com/ was the culprit. It delivered a document.write() payload which insert a link to fast-click-ads and auto invokes the link after 7000 milliseconds.

The network trail sort of ended here and Fiddler trace couldn't locate how I got to 3rdrockgames. It somehow managed to remove the referer headers as well.. So I went to the Web Inspector on my OS X machine to inspect the DOM. Turns out this originated from the ad section on the bottom of the page. It appears to have come from google. (Or it may have been injected by another rogue script.) I recommend applying iframe sandbox to these ads if possible with same origin and parent level navigation blocked.... Here's the DOM on slickdeals that kicked off the chain reaction.
Link to image: https://imgur.com/a/ntpIU

Hope this is enough info to start shutting these rogue ads down...

If you're a staff on slickdeals and would like more details (e.g. non-truncated urls), just send me a mail.
Hey DancingNeko. Adding to what Schooby said here, we really appreciate you providing this level of detail. It's been extremely helpful for us.

User experience is the highest priority for us and it's for this reason we are very careful about which ad partners we work with. We routinely turn down opportunities to keep the chances of bad ads to an absolute minimum, but lately these scammers have really stepped it up and somehow managed to beat all of the filters in place for this kind of thing.

Really appreciate your help on this. If you happened to see this happen again and have the time to send us some details, please do. We are passionate about keeping this site as clean as possible.

Thanks!
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Nov 2016
L1: Learner
47 Posts
78 Reputation
Original Poster
#5
Quote from doublewood
:
Hey DancingNeko. Adding to what Schooby said here, we really appreciate you providing this level of detail. It's been extremely helpful for us.

User experience is the highest priority for us and it's for this reason we are very careful about which ad partners we work with. We routinely turn down opportunities to keep the chances of bad ads to an absolute minimum, but lately these scammers have really stepped it up and somehow managed to beat all of the filters in place for this kind of thing.

Really appreciate your help on this. If you happened to see this happen again and have the time to send us some details, please do. We are passionate about keeping this site as clean as possible.

Thanks!
Glad I can help 😊 Thanks for maintaining this one of a kind cool site. I'll share details again if rogue ads get in the way of scoring an awesome deal lol
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined May 2005
Super Moderator
49,185 Posts
14,800 Reputation
Pro Global Mod
#6
Quote from DancingNeko
:
Glad I can help 😊 Thanks for maintaining this one of a kind cool site. I'll share details again if rogue ads get in the way of scoring an awesome deal lol

thanks and reps!!!
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Apr 2008
FW Expatriot
5,994 Posts
88 Reputation
#7
Thank You
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Apr 2005
Demon
1,038 Posts
230 Reputation
#8
Quote from DancingNeko
:
I managed to track down the root cause of the rogue ads. I tried to get the rogue ads on Chrome, Firefox, Edge etc on desktop while emulating the iPad Safari's user agent and screen resolution but the rogue ad was too smart. It dodged being loaded in desktop environment to avoid analysis. So I used Safari on iPad with network being proxied to my Windows 10 machine via Fiddler and hooking the iPad's Safari instance up to OS X machine to inspect the DOM via Web Inspector. I then set a Fiddler breakpoint on any url with "us_amazon_amazon500" in the path. Analyzed the script that redirected to this site. Then went from there.

In my case Ithe rogue ad hijacked to redirect to hxxp://rewardyouremployees.top/us_amazon_amazon500. I searched the network trace to figure out how I got routed there.

It turns out there was a javascript payload from hxxp:://cdn-search.com that did the redirect using the following payload:
Link to image: https://imgur.com/a/yQDKj

Next I searched how I got to cdn-search and it turns out there was a 302 redirect done from hxxp://fast-click-ads.com.

I repeated and looked up how I got to fast-clicks-ads and it turns out hxxps://mobads.3rdrockgames.com/ was the culprit. It delivered a document.write() payload which insert a link to fast-click-ads and auto invokes the link after 7000 milliseconds.

The network trail sort of ended here and Fiddler trace couldn't locate how I got to 3rdrockgames. It somehow managed to remove the referer headers as well.. So I went to the Web Inspector on my OS X machine to inspect the DOM. Turns out this originated from the ad section on the bottom of the page. It appears to have come from google. (Or it may have been injected by another rogue script.) I recommend applying iframe sandbox to these ads if possible with same origin and parent level navigation blocked.... Here's the DOM on slickdeals that kicked off the chain reaction.
Link to image: https://imgur.com/a/ntpIU

Hope this is enough info to start shutting these rogue ads down...

If you're a staff on slickdeals and would like more details (e.g. non-truncated urls), just send me a mail.
Damn, awesome work! This explains why i havent had the problem at all since Wed night!

I think SD owes you a paycheck, or job offer!

Gave you a rep too but not sure that it looks like you care about that sort of thing,
Reply Helpful Comment? 0 0
Page 1 of 1
1
Join the Conversation
Add a Comment
 
Link Copied to Clipboard