Show HN: ScriptObservatory.org – How much malicious JavaScript goes unnoticed?(scriptobservatory.org) |
Show HN: ScriptObservatory.org – How much malicious JavaScript goes unnoticed?(scriptobservatory.org) |
Why is something like this a good idea?
JavaScript, iframes, and other embedded web content have the potential to cause your browser to take unwanted and even harmful actions on your behalf, however visibility into what you're running as you browse is very limited. After-the-fact analysis of what you were sent is (in nearly all cases) outright impossible.
If you have any thoughts or want a few interesting queries to get started, get in touch. Feedback is welcome!
Basically, a script started displaying really intrusive ads on StackOverflow, initially only on my Nexus 5 - the only way to get rid of them was clearing the cache. It did not happen over HTTPS. A commenter thinks it might be a compromised Google Analytics script but this doesn't sound possible.
If you were only able to reproduce it on a Nexus 5, I don't think analysis with ScriptObservatory will be easy. I'd still suggest submitting the URLs to be scanned by the robo-browser and then looking to see if what gets reported looks similar to what you saw before.
Also, if you write a Yara rule that matches on some of the unique features in the JS/iframes you saw, you could run a search through what's been seen. You can use that to also be alerted when new matches are reported. If something similar has been seen elsewhere, you might be able to tie it to a specific ad network.
adsbyText:"ADS BY "+
including quotes.
The results for the site you mentioned are here - https://scriptobservatory.org/webpage/543677125f1bea8226ba7c... - but I don't see anything that looks like a clear match.