As a follow on from last month where gamiss.com was hijacking eBay pages.. this month it is zaful.com.
This time the visitors don’t get hijacked away from eBay but they do get music playing at them in the background while they are on eBay pages.
The advert causing this looks like:
The chain of requests goes as so.
You visit an item on eBay (and probably many of the other pages too).
This has, among many others, an iFrame that fetches from:
This triggers a request to image3.pubmatic.com which is a legitimate advertising network. This responds with:
https://d.willvox.com (also used in last months page hijacking).
This malicious website then responds with the advert code:
<div><a href="https://www.zaful.com/" target="_blank"><img src="https://d.willvox.com/ad/zaful.jpg" height="90" width="725"></a> <img width="300" height="250" src="http://s.click.aliexpress.com/e/JuvRrzb?bz=120*600&af=https://ebayadvertising.co.uk/&cn=3049544&cv=5455548&dp=5956238474928068609" style="display:none;"> <iframe src="https://www.gearbest.com/promotion-8-march-special-1216.html?lkid=13364449" style="display: none"></iframe> <iframe src="https://www.zaful.com/m-promotion-active-valentines-sale.html?innerid=35&lkid=13266105" style="display:none"></iframe> <iframe src="https://www.gamiss.com/?lkid=13368106" style="display: none" sandbox="allow-scripts allow-same-origin allow-top-navigation-by-user-activation"></iframe> <iframe src="https://www.rosegal.com/promotion-christmas-sale.html?lkid=12369082" style="display:none"></iframe></div>
Job done! While trying to pollute the eBay visitor with referal code tracking for gamiss, zaful, rosegal, gearbest and aliexpress the zaful page embedded within the advert then has a further embedded youtube video that plays music!
eBay’s only response to this is blaming the user.
If you are reading this and are affected.. it isn’t you.. it is eBay (again!). Feel free to send them to this page so they can read up on their own crappy advertising ecosystem and fix it.