Over the last few years, as AdTech and browser security has continued to mature, many malvertisers have moved on from forced redirect campaigns that target premium publishers and top-tier advertising platforms. The ones that are left, however, typically have little tricks that they employ in order to try and achieve some sort of positional advantage in order to optimize their impact and reach.
Today we are looking at part of a payload from a threat actor that we call D-Shortiez. A group that runs forced redirect campaigns that propel victims down familiar malicious click-chains which surface familiar scams like this:
The redirect payload itself consists mainly of largely unremarkable fingerprinting and tracking functions:
https://medium.com/media/938706bead30e0493668109ba8d6123d/href
When we come across redirect campaigns like this, we like to pay extra attention to the actual redirect mechanics in order to see if anything weird is going on.
Starting on line 211 we see a nested try/catch that attempts the actual forced redirection. This is all fairly standard as different browsers respond differently to different redirect attempts and the bad actors have learned that throwing the kitchen sink at it will maximize the chances of a successful redirection.
The part that made us pause and closely consider what’s happening here are these few lines:
if (!!(window.top.history && window.top.history.pushState)) {
window.top.history.pushState(null, null, '');
window.top.onpopstate = function(event) {
window.top.location.href = redirectUrl+'back';
};
A description of the popstate event from MDN:
The popstate event of the Window interface is fired when the active history entry changes while the user navigates the session history. It changes the current history entry to that of the last page the user visited or, if history.pushState() has been used to add a history entry to the history stack, that history entry is used instead.
We staged our own payload for t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: