Now playing on dirty.radio: Loading...

  Dirty Forums > underworld.

Post Reply
 
Thread Tools Display Modes
  #1  
Old 10-20-2017, 04:12 PM
darmok
dust between the wires
 
Join Date: Aug 2017
Posts: 28
underworldlive.com hacked/malware?
The official Underworld site is serving malware/junkware that appears when you click the "accept" button for cookies. It's coming from a script that's loaded directly from the page source, and the official site seems to use Wordpress, so chances are it got hacked. I figured I'd post about this here in the hopes that someone can bring it to the attention of the right person.
  #2  
Old 10-20-2017, 04:28 PM
TheBang
Admaxistrator
 
Join Date: Jan 2006
Location: Sunny Hawaii
Posts: 4,840
Re: underworldlive.com hacked/malware?
I didn't see anything untoward try to get loaded. Do you have any more details?
  #3  
Old 10-20-2017, 05:06 PM
darmok
dust between the wires
 
Join Date: Aug 2017
Posts: 28
Re: underworldlive.com hacked/malware?
This is the kind of popup I'm getting - but it seems to happen rarely, and is easiest to trigger when I visit from a new IP. Unfortunately I failed to capture exactly what's doing it here this time, and I can't get it to trigger again.

I'm positive it's not client-side - I've seen this multiple times on multiple computers, but only on underworldlive.com .

I'll keep trying to see if I can get it to happen again.
Attached Thumbnails
Click image for larger version

Name:	Screenshot_20171020_185300.png
Views:	157
Size:	63.5 KB
ID:	394  
  #4  
Old 10-20-2017, 05:48 PM
darmok
dust between the wires
 
Join Date: Aug 2017
Posts: 28
Re: underworldlive.com hacked/malware?
Caught it! It's a sneaky bastard, but it shows up if you visit from an IP that hasn't visited the site recently. I ended up tethering to my phone to catch it in the act (and toggling airplane mode to get a fresh IP). You'll see a script block at the bottom of the body that's responsible for the malware popunder. I didn't have any success with this on my Mac, so it might be doing user-agent checking as well.

Here's the source to the page I was served, in case it helps: https://pastebin.com/dgDtPiCD
  #5  
Old 10-20-2017, 06:28 PM
TheBang
Admaxistrator
 
Join Date: Jan 2006
Location: Sunny Hawaii
Posts: 4,840
Re: underworldlive.com hacked/malware?
Oh yeah, you can totally see the malicious code at the very bottom of the HTML you pasted. That whole last block of JavaScript right before the end body tag. This part in particular is probably what caused your pop-up:

Code:
window.event;doOpen("http://helpcenterforall.bid/index/?MCPKV8")
You're right, it is really hard to get it to trigger. I was only able to get it using a fresh Edge browser once (subsequent visits didn't have it), but when I did get it, it had that same malicious JavaScript block as in your paste, causing this:

https://imgur.com/a/6ADUf

On the other loads, that JavaScript block doesn't appear.
Nice catch, thanks. I'll pass it along to management.
  #6  
Old 10-21-2017, 06:32 AM
stimpee
Administrator
 
Join Date: Jun 2005
Location: Netherlands
Posts: 3,823
Re: underworldlive.com hacked/malware?
Have also forwarded this to the UW management that I am in contact with.
__________________
UW0764 || Professor: "Underworld have never failed to disappoint me" || Yannick changed my avatar picture.
  #7  
Old 10-21-2017, 12:47 PM
crank
I'm a big sister
 
Join Date: Jun 2005
Location: somewhere between waking and sleeping
Posts: 1,051
Re: underworldlive.com hacked/malware?
i hit it too. it didn't hit me- but i was shocked. and it was triggered on my phone as well.
Post Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 10:40 AM.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.