eBay: zaful advert playing music automatically (another d.willvox.com malicious advert)

Posted on April 18, 2018 by thecomputerperson

As a follow on from last month where gamiss.com was hijacking eBay pages.. this month it is zaful.com.

This time the visitors don’t get hijacked away from eBay but they do get music playing at them in the background while they are on eBay pages.

The advert causing this looks like:

ebay advert playing music.png

The chain of requests goes as so.

You visit an item on eBay (and probably many of the other pages too).

This has, among many others, an iFrame that fetches from:

https://ir.ebaystatic.com/cr/v/c1/x-frame-4.html

Which then runs some JavaScript to show an advert:  function showAd()

This triggers a request to image3.pubmatic.com which is a legitimate advertising network. This responds with:

https://tags.mathtag.com/notify/js?exch=pub&id=REDACTED&sid=3049544&cid=5455548&nodeid=1135&price=0.08&group=eu&auctionid=2004222052992160077&bp=a_aiaaaa&3pck=REDACTED

Interesting to see the price paid in the URL! Mathtag seems to be where things go wrong (as it did last month too). Mathtag respond with some javascript that sends users onto:

https://d.willvox.com (also used in last months page hijacking).

This malicious website then responds with the advert code:

<div><a href="https://www.zaful.com/" target="_blank"><img src="https://d.willvox.com/ad/zaful.jpg" height="90" width="725"></a>
<img width="300" height="250" src="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600&amp;af=https://ebayadvertising.co.uk/&amp;cn=3049544&amp;cv=5455548&amp;dp=5956238474928068609" style="display:none;">
<iframe src="https://www.gearbest.com/promotion-8-march-special-1216.html?lkid=13364449" style="display: none"></iframe>
<iframe src="https://www.zaful.com/m-promotion-active-valentines-sale.html?innerid=35&amp;lkid=13266105" style="display:none"></iframe>
<iframe src="https://www.gamiss.com/?lkid=13368106" style="display: none" sandbox="allow-scripts allow-same-origin allow-top-navigation-by-user-activation"></iframe>
<iframe src="https://www.rosegal.com/promotion-christmas-sale.html?lkid=12369082" style="display:none"></iframe></div>

Job done! While trying to pollute the eBay visitor with referal code tracking for gamiss, zaful, rosegal, gearbest and aliexpress the zaful page embedded within the advert then has a further embedded youtube video that plays music!

eBay’s only response to this is blaming the user.

ebay blaming user for bad adverts.png

If you are reading this and are affected.. it isn’t you.. it is eBay (again!). Feel free to send them to this page so they can read up on their own crappy advertising ecosystem and fix it.

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to eBay: zaful advert playing music automatically (another d.willvox.com malicious advert)

  1. Pingback: Rogue adverts redirecting ebay visitors off-site. (d.willvox.com and www.gamiss.com/?lkid=13368106) | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s