[voltagex_]

Can you help with any analysis of http://blog.voltagex.org/2015/10/07/malvertising-on-my-stack...?

Basically, a script started displaying really intrusive ads on StackOverflow, initially only on my Nexus 5 - the only way to get rid of them was clearing the cache. It did not happen over HTTPS. A commenter thinks it might be a compromised Google Analytics script but this doesn't sound possible.

[andy112]

Hmm, that sounds strange.

If you were only able to reproduce it on a Nexus 5, I don't think analysis with ScriptObservatory will be easy. I'd still suggest submitting the URLs to be scanned by the robo-browser and then looking to see if what gets reported looks similar to what you saw before.

Also, if you write a Yara rule that matches on some of the unique features in the JS/iframes you saw, you could run a search through what's been seen. You can use that to also be alerted when new matches are reported. If something similar has been seen elsewhere, you might be able to tie it to a specific ad network.

[voltagex_]

Looking at Yara rules - I won't have time today but a unique-ish string in the script was

adsbyText:"ADS BY "+

including quotes.

[andy112]

Yep that looks like a good string to key off of.

The results for the site you mentioned are here - https://scriptobservatory.org/webpage/543677125f1bea8226ba7c... - but I don't see anything that looks like a clear match.

[voltagex_]

Do you differentiate between http and https versions of sites?

[andy112]

Yes, the two are considered as if they were completely separate sites.

[voltagex_]

The only reason I haven't run it again in a VM on a desktop is that the desktop version of these ads is a lot more malicious - exe downloads of antivirus scam software