Today one of our techs was working on a website for one of our Platinum Management customers and came across a disturbing discovery: the website was opening a new window to a malvertising (malicious advertising) site. It would only happen on the first page load, and only when it registered a click on the page.
As part of our management service, we began executing a cleanup on the site. We’ve got a pile of processes for doing this, and all of them turned up… nothing. We checked with an antivirus tool, we used Sucuri’s SiteCheck, we used Wordfence, and then we manually reviewed a ton of files which are often targeted by attacks. Nothing turned up!
That js file was loaded by hxxp:// clktag.com / adServe / banners?tid=SWTMPOP&tagid=2
That file was loaded by hxxp:// www.sweetcaptcha.com / api / v2/apps/csrf/24048
Wait a second.. Sweetcaptcha? That’s a plugin the site is using…
I disabled the plugin and the problem disappeared immediately. After doing a quick search, I found that SweetCaptcha had been hijacked and turned into a Spamvertising distribution tool.
So, if you’re getting these sort of malvertising popup windows, check to see if your site has Sweetcaptcha installed. If so, get rid of it!