Overview
(update: they fixed the problem )
When I tried to read article in Nikkei, chrome in Android move without any notification to strange website. (caution: please don't access URLs in the pics)
What I tried to read (Japanese only): http://trendy.nikkeibp.co.jp/article/col/20030924/106051/?ST=trnmobile_f
This advertisement just hurt the brand image of owner website (this case it's Nikkei). And other users also have met the same problem: https://productforums.google.com/forum/#!msg/chrome/AzyvOJ1xcYg/L354tQk1BAAJ
Here is also interesting comment (https://productforums.google.com/d/msg/chrome/AzyvOJ1xcYg/6R8cSVk8BwAJ)
When I tried to read article in Nikkei, chrome in Android move without any notification to strange website. (caution: please don't access URLs in the pics)
What I tried to read (Japanese only): http://trendy.nikkeibp.co.jp/article/col/20030924/106051/?ST=trnmobile_f
This advertisement just hurt the brand image of owner website (this case it's Nikkei). And other users also have met the same problem: https://productforums.google.com/forum/#!msg/chrome/AzyvOJ1xcYg/L354tQk1BAAJ
Here is also interesting comment (https://productforums.google.com/d/msg/chrome/AzyvOJ1xcYg/6R8cSVk8BwAJ)
TNTBrian said:After reading, I have two questions.
Even if it is an advertiser, Chrome is still being exploited.
Also it does not happen on an older version of Chrome -- At least for me. Would love to see if the same is true for others.
- How it works?
- Why does Chrome allow the problematic script to run?
track requests to know how it works
here is recorded *.HAR in Google Chrome when I read trendy.nikkeibp.co.jp
HAR.zip
In the response, one amazon ec2 instance sent response with javascript that includes the domain "comumx[dot]site" that is the original site of the above picture.
It does move webpage forcely to comumx[dot]site.
After checking a bit, I realized this script was triggered in the following steps:
HAR.zip
In the response, one amazon ec2 instance sent response with javascript that includes the domain "comumx[dot]site" that is the original site of the above picture.
It does move webpage forcely to comumx[dot]site.
function(){top.window.location='http://comumx[dot]site/lpde1/index.php?s1=mas_jiami_de&pubid=B22CD7E7954F3EED828B3172748A31FA&bid=354163f6a3a632c304e2b91277de2f3b';}
- trendy.nikkeibp.co.jp
- www.googletagservice.com
- securepubads.g.doubleclick.net
- ads.rubiconproject.com
- optimized-by.rubiconproject.com
- tags.mathtag.com
- ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
why Chrome allowed this script to run?
According to the registory information in WHOIS, the domains belonged as follows.
Unfortunately I haven't heard anything about "Rubicon project" and "MediaMath". After googling, I realized they are advertise network company / agency.
Rubicon Project seems to belong to the IAB. Thus they should not allow such an advertisement generally. https://www.iab.com/news/iab-names-googles-jonathan-bellack-rubicon-projects-jay-sears-advertising-technology-council-co-chairs
MediaMath is described in crunchbase. (https://www.crunchbase.com/organization/mediamath#/entity) Their codebase also includes the requests against "*.mathtag.com" i.e. https://github.com/search?utf8=%E2%9C%93&q=org:MediaMath+mathtag.com&type=Code&ref=searchresults
HTTP response from Rubicon Project includes the following
Thus naturally MediaMath is a business partner of Rubicon Project.
NOTE:
this domain, "pixel[dot]mathtag[dot]com" has already raised some discussions before:
And I guess it's fatal if advertisement can hijack the contents of owner of the advertisement.
If you have any feedbacks, please leave a comment.
- NIKKEI (trendy.nikkeibp.co.jp)
- Google (www.googletagservice.com)
- Google (securepubads.g.doubleclick.net)
- Rubicon project (ads.rubiconproject.com)
- Rubicon project (optimized-by.rubiconproject.com)
- MediaMath (tags.mathtag.com)
- ec2-52-23-195-173.compute-1.amazonaws.com ( this responses with problematic javascript )
Unfortunately I haven't heard anything about "Rubicon project" and "MediaMath". After googling, I realized they are advertise network company / agency.
Rubicon Project seems to belong to the IAB. Thus they should not allow such an advertisement generally. https://www.iab.com/news/iab-names-googles-jonathan-bellack-rubicon-projects-jay-sears-advertising-technology-council-co-chairs
MediaMath is described in crunchbase. (https://www.crunchbase.com/organization/mediamath#/entity) Their codebase also includes the requests against "*.mathtag.com" i.e. https://github.com/search?utf8=%E2%9C%93&q=org:MediaMath+mathtag.com&type=Code&ref=searchresults
HTTP response from Rubicon Project includes the following
{
"pingdom_id": "2117306",
"ttl": 7,
"img": "http://pixel.mathtag.com/sync/img?redir=http%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D",
"secure": {
"img": "https://pixel.mathtag.com/sync/img?redir=https%3A%2F%2Ftap.rubiconproject.com%2Foz%2Ffeeds%2Fmediamath-pub%2Ftokens%3Fafu%3D%5BMM_UUID%5D"
},
"partner": "mediamath-pub"
}
Thus naturally MediaMath is a business partner of Rubicon Project.
NOTE:
this domain, "pixel[dot]mathtag[dot]com" has already raised some discussions before:
- http://www.spyviruskillers.com/how-to-remove-pixel-mathtag-com-browser-hijacker-removal-guides/
- https://social.technet.microsoft.com/Forums/office/en-US/f50daf75-6e17-4bdf-b34b-5dba0fcc74fe/pixel-mathtab-com?forum=outlook
- Google shows advertisement from partner company, Rubicon Project
- Rubion Project loads some script from partner company, MediaMath
- MediaMath loads some (unfortunately malicious) scripts from their clients.
And I guess it's fatal if advertisement can hijack the contents of owner of the advertisement.
If you have any feedbacks, please leave a comment.
