Author Topic: Speading ABP acceptable ads from a hacked domain that now has been parked.  (Read 3025 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33632
  • malware fighter
Unused domain rerouted to doubleclick! Unused domains are actually being diverting to an advertising nexus.
What is being shown here are non-blocked so-called ABP acceptable ads, see adblockkey-code,
There are two "allow" methods, one from the acceptable ads list, which is public, and another via an "x-adblock-key" that can be provided in an HTTP header. There is no list of which sites use the key.

Unblocked ad-clicks paying from inside the domain grave, so to say. Dracula would be proud here ;D at 70% of the revenue the remaining percentage allegedly  goes to ABP German Sales-Office for allowing the ads through

It is now done for the suspended domain -malliehart.com -> http://toolbar.netcraft.com/site_report?url=http://malliehart.com
See the code to circumvent this adblocker here
Code: [Select]
<!DOCTYPE html PUBLIC> <html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_W4zvVLEonbnwXF7hLlQHq6EE/BZ7facATZUUCpZwTf5blEU82LhE+WDlFY8PP5CdHFYEaZOfyGuGtK7cMflLBw==" >
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title>-malliehart.com</title>
    <style type="text/css">*{margin:0; padding:0; border: 0; overflow:hidden} html, body {height: 100%;}</style>
</head>
<body width="100%" height="100%">
<noscript><meta http-equiv="refresh" content="0;url=-http://imptestrm.com/rg-erdr.php?_dnm=malliehart.com&_cfrg=2&_drid=as-drid-2555965863243342&_bkt=11426" /><center><p style="padding:1em; font-size:1.5em;">For search results please <a href="-http://imptestrm.com/rg-erdr.php?_dnm=malliehart.com&_cfrg=2&_drid=as-drid-2555965863243342&_bkt=11426" style="text-decoration:underline; color:#0000EE;">CLICK HERE</a>.</p></center></noscript>
<div id="rmgblock" width="100%" height="100%"></div>
<script type="text/javascript" src="-http://imptestrm.com/rg-main.php?_srg=1&bkt=11426&dmn=-malliehart.com&folio=394494536"></script>
<script type="text/javascript" language="JavaScript" src="-http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"></script>
<script type="text/javascript"> function collectHeight(){try{var e=Math.max(document.documentElement.clientHeight,document.body.scrollHeight,document.documentElement.scrollHeight,document.body.offsetHeight,document.documentElement.offsetHeight);document.getElementById("rmgblock").style.height=e+"px"}catch(e){}}try{window.onresize=collectHeight;collectHeight()}catch(e){} </script>
</body></html>
This link -http://imptestrm.com/rg-erdr.php could be infesting your browser. At least there is PHISHing goin'on there.
This redirects to: - http://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=&domain_name=imptestrm.com&channel=&drid=&output=html

Domain registrars participate in all manner of unethical and deceptive behavior, websites should sign into their NS account and change the domain settings. It's really that easy to stop such "abuse". What happens to suspended and sinkholed domains otherwise is not completely clear.

Why such types of abuse should be flagged, read here: http://www.bleepingcomputer.com/forums/t/576771/imptestrmcom-page-keeps-coming-up-in-browsers/

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: October 21, 2015, 07:29:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!