Today one of our techs was working on a website for one of our Platinum Management customers and came across a disturbing discovery: the website was opening a new window to a malvertising (malicious advertising) site. It would only happen on the first page load, and only when it registered a click on the page.

As part of our management service, we began executing a cleanup on the site. We’ve got a pile of processes for doing this, and all of them turned up… nothing. We checked with an antivirus tool, we used Sucuri’s SiteCheck, we used Wordfence, and then we manually reviewed a ton of files which are often targeted by attacks. Nothing turned up!

Next was to inspect the javascript files being loaded by the page, using the web inspector in my browser. I narrowed it down to: rhpop_1.1.42.js

That js file was loaded by hxxp:// / adServe / banners?tid=SWTMPOP&tagid=2

That file was loaded by hxxp:// / api / v2/apps/csrf/24048

Wait a second.. Sweetcaptcha? That’s a plugin the site is using…

I disabled the plugin and the problem disappeared immediately. After doing a quick search, I found that SweetCaptcha had been hijacked and turned into a Spamvertising distribution tool.

So, if you’re getting these sort of malvertising popup windows, check to see if your site has Sweetcaptcha installed. If so, get rid of it!

About Allen Pooley

Allen is a self professed geek and technology lover. He's always playing with one of his various websites, and loves helping customers with theirs. He can often be found with a coffee (light roast, please) in his hand and a smile on his face... or with a plate of bacon. Mmm, bacon.

Leave a Comment