Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on October 21, 2015, 07:21:27 PM

Title: Speading ABP acceptable ads from a hacked domain that now has been parked.
Post by: polonus on October 21, 2015, 07:21:27 PM

Unused domain rerouted to doubleclick! Unused domains are actually being diverting to an advertising nexus.
What is being shown here are non-blocked so-called ABP acceptable ads, see adblockkey-code,
There are two "allow" methods, one from the acceptable ads list, which is public, and another via an "x-adblock-key" that can be provided in an HTTP header. There is no list of which sites use the key.

Unblocked ad-clicks paying from inside the domain grave, so to say. Dracula would be proud here ;D at 70% of the revenue the remaining percentage allegedly  goes to ABP German Sales-Office for allowing the ads through

It is now done for the suspended domain -malliehart.com -> http://toolbar.netcraft.com/site_report?url=http://malliehart.com
See the code to circumvent this adblocker here

Code: [Select]

<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_W4zvVLEonbnwXF7hLlQHq6EE/BZ7facATZUUCpZwTf5blEU82LhE+WDlFY8PP5CdHFYEaZOfyGuGtK7cMflLBw==" >
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>-malliehart.com</title>
    <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>
</head>
<body width="100%" height="100%">
<noscript><meta http-equiv="refresh" content="0;url=-http://imptestrm.com/rg-erdr.php?_dnm=malliehart.com&_cfrg=2&_drid=as-drid-2555965863243342&_bkt=11426" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="-http://imptestrm.com/rg-erdr.php?_dnm=malliehart.com&_cfrg=2&_drid=as-drid-2555965863243342&_bkt=11426" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>
<div id="rmgblock" width="100%" height="100%"></div>
<script type="text/javascript" src="-http://imptestrm.com/rg-main.php?_srg=1&bkt=11426&dmn=-malliehart.com&folio=394494536"></script>
<script type="text/javascript" language="JavaScript" src="-http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>
<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documentElement.clientHeight,document.body.scrollHeight,document.documentElement.scrollHeight,document.body.offsetHeight,document.documentElement.offsetHeight);document.getElementById("rmgblock").style.height=e+"px"}catch(e){}}try{window.onresize=collectHeight;collectHeight()}catch(e){} </script>
</body></html>
This link -http://imptestrm.com/rg-erdr.php could be infesting your browser. At least there is PHISHing goin'on there.
This redirects to: - http://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=&domain_name=imptestrm.com&channel=&drid=&output=html

Domain registrars participate in all manner of unethical and deceptive behavior, websites should sign into their NS account and change the domain settings. It's really that easy to stop such "abuse". What happens to suspended and sinkholed domains otherwise is not completely clear.

Why such types of abuse should be flagged, read here: http://www.bleepingcomputer.com/forums/t/576771/imptestrmcom-page-keeps-coming-up-in-browsers/

polonus (volunteer website security analyst and website error-hunter)