Strange links from my Banking website

Discussion in 'other security issues & news' started by 7hohPAyXMd, Mar 7, 2014.

Thread Status:
Not open for further replies.
  1. 7hohPAyXMd

    7hohPAyXMd Registered Member

    Mar 7, 2014
    Hi all,

    I noticed the following two strange new links in my banking website (Poste italiane: Does anyone know what they might be?

    Please see screenshots for more details.
    http://http: // eX4HY8X.jpg
    http://http: // gymDoLv.jpg

    removed link clickability - unknown
    Last edited by a moderator: Mar 7, 2014
  2. dvk01

    dvk01 Global Moderator

    Oct 9, 2003
    Loughton, Essex. UK
    I would say from that, the likelihood is that you have been infected by a bot of some kind, quite possibly one of the recent zbot family of malware that is injecting or attempting to inject false information into the bank website

    Do a full scan with a good antivirus in the first instance and then seek help on one of the malware cleaning sites

    It is possible that you have some sort of malware that attempts to inject adverts into the site & replace any of the sites adverts. If the IP number that you have blanked out is your own IP that is the most logical explanation
  3. devonnullworth

    devonnullworth Registered Member

    May 17, 2014
    Did this happen to be from a domain? I happened to see a blocked script from plus my public IP in my NoScript listing. This kind of freaked me out, since (of course) it was our credit card site.

    I did some digging, and that appears to come from an 'fp_AA.js' script located at:

    I de-minified that script, and posted it here:

    The relevant code calling the image is at line 509:

    ProxyCollector.doAjax = function (k, l) {
    var j = document.location.protocol + "//" + k + ":" + getRandomPort() + "/NonExistentImage" + getRandomPort() + ".gif";

    So, it appears to be some kind of browser fingerprinting/proxy collector JavaScript. Perhaps it's trying to do an nmap-style TCP fingerprint of the response when it sends an HTTP request to a closed port?

    Also interesting is that I'm seeing those UUIDs listed on line 459 mentioned at:

    And there's an interesting read from Mozilla about browser fingerprinting at:

    It doesn't appear to be malware, just plain visitor tracking evilness.
    Last edited by a moderator: May 17, 2014
Thread Status:
Not open for further replies.