A malvertising campaign uses decoy websites pushing cryptocurrencies and then redirects users to the RIG exploit kit, Malwarebytes Labs said.
The decoy page contains a third-party JavaScript that appears to be conditionally loaded, based on the visitor's user agent and geolocation, according to a Feb. 28 blog post.
One spoof site carries the url https://investingtodayfix[dot]top with such enticing copy as “Earns Profit,” “the best invest site” and “we show you how.”
“That JavaScript contains many different ways to fingerprint users and determine whether they are legitimate or not by validating some checks,” says Jerome Segura, Malwarebytes Labs' lead malware intelligence analyst, who called the campaign “Coins LTD.”
Segura examined the JavaScript code, which he found contains many different ways to fingerprint users, and determine whether they are legitimate or not by validating some checks:
- getHasLiedLanguages
- getHasLiedResolution
- getHasLiedOS
- getHasLiedBrowser
The scheme features filtering steps to avoid bots, relying on a decoy gate, a ploy getting tapped more often these days by cyberattackers, he notes.
