Now playing on dirty.radio: Loading... |
|
#1
|
|||
|
|||
underworldlive.com hacked/malware?
The official Underworld site is serving malware/junkware that appears when you click the "accept" button for cookies. It's coming from a script that's loaded directly from the page source, and the official site seems to use Wordpress, so chances are it got hacked. I figured I'd post about this here in the hopes that someone can bring it to the attention of the right person.
|
#3
|
|||
|
|||
Re: underworldlive.com hacked/malware?
This is the kind of popup I'm getting - but it seems to happen rarely, and is easiest to trigger when I visit from a new IP. Unfortunately I failed to capture exactly what's doing it here this time, and I can't get it to trigger again.
I'm positive it's not client-side - I've seen this multiple times on multiple computers, but only on underworldlive.com . I'll keep trying to see if I can get it to happen again. |
#4
|
|||
|
|||
Re: underworldlive.com hacked/malware?
Caught it! It's a sneaky bastard, but it shows up if you visit from an IP that hasn't visited the site recently. I ended up tethering to my phone to catch it in the act (and toggling airplane mode to get a fresh IP). You'll see a script block at the bottom of the body that's responsible for the malware popunder. I didn't have any success with this on my Mac, so it might be doing user-agent checking as well.
Here's the source to the page I was served, in case it helps: https://pastebin.com/dgDtPiCD |
#5
|
|||
|
|||
Re: underworldlive.com hacked/malware?
Oh yeah, you can totally see the malicious code at the very bottom of the HTML you pasted. That whole last block of JavaScript right before the end body tag. This part in particular is probably what caused your pop-up:
Code:
window.event;doOpen("http://helpcenterforall.bid/index/?MCPKV8") https://imgur.com/a/6ADUf On the other loads, that JavaScript block doesn't appear. Nice catch, thanks. I'll pass it along to management. |
#6
|
|||
|
|||
Re: underworldlive.com hacked/malware?
Have also forwarded this to the UW management that I am in contact with.
__________________
UW0764 || Professor: "Underworld have never failed to disappoint me" || Yannick changed my avatar picture. |
Post Reply |
Thread Tools | |
Display Modes | |
|
|