Attack of the BrowserDetect

1 Reply

This infection has been around for awhile, but it’s been more popular recently.

We’ve been seeing it after the closing html tag in index.html files:

Here’s the code:

(opening script tag) var BrowserDetect = { init: function () { this.browser = this.searchString(this.dataBrowser) || "An unknown browser"; this.version = this.searchVersion(navigator.userAgent)...');}else {}(closing script tag)

There have been other domains in place of allegianstaffing.com too, but the bottom line is that the above script performs a series of browser checks then creates an iframe.

This infection has been seen in Zen Cart, osCommerce, WordPress and Prestashop websites by us, but I’m certain that it’s just the infection used at the moment.

If you’ve experienced this infection and need assistance with it, please call us at (847)728-0214 or email me at traef@wewatchyourwebsite.com

If you have any comments to add to this, please leave a comment below.

Thank you.

One thought on “Attack of the BrowserDetect

  1. Ian Dunn

    You didn’t replace the greater-than/less-than signs in the quoted code with their HTML entities, so the iframe to the infected website is actually being rendered by the browser. The URL protocol is obfuscated with “hxxp”, so they don’t actually go to the website, but they may get a warning prompt in their browser.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>