Tech & Engineering Blog

The Missing LNKR

Written by Ben Baryo | Oct 22, 2020 1:00:00 PM

How we connected several incidents our clients’ end-users experienced to a broad ad injection campaign spanning end-users across much of our customer base.

First Incidents

During a new integration of PerimeterX Code Defender in July, the customer alerted us that they had received complaints that several of their end users had experienced fraud after submitting payment details into their website. Our review of the code running on their website revealed nothing malicious.

We then used our visibility into their site and found a very small percentage of end users experiencing Javascript injections which contacted unexpected domains. The small number of affected users made it not likely to be a Magecart attack, as those usually run on as many users as possible instead of a small subset, but we wanted to dot all the i’s and cross all the t’s to verify this wasn’t a more elaborate, targeted attack.

The unexpected domains we encountered, guxuladebu[.]com and wejekihota[.]com, have been registered as recently as 04/2020 and were both tagged as high-risk by our domain intelligence provider. The scripts which were detected in the compromised sessions were injected into the payment iframe, and taking a close look at them revealed unobfuscated code, which included comments and full variable names. The scripts seemingly “only” inject ads and trackers into the page.

The Initial Adware Injection

The opening lines of one of the injections:

var alreadyLoadedMnz = true;
try {
   if (typeof(alreadyLoadedFdzScript) == "undefined") {
       var euPlugin = true;
       var alreadyLoadedFdzScript = true;
       var mainPluginKey = "8kime1SUSnpFEB9EJs$JTA";
       var countryPlugin = "br";

The injected scripts, losudu.guxuladebu[.]com/scripts/js and fevoki.wejekihota[.]com/scripts/js, both with object and method names such as fdzAdsManager, fdzNativeAds, pushMoreProducts, and replaceAds, it was easy to figure out what was going on; The script would seek out existing ads’ elements and iframes on the page - such as youtube ads, taboola, ligatus or outbrain - and replace them with its own ads.

replaceAds: function (format, element) {
 return new Promise(function (resolve) {
   if (element.height > 200) {
     jKiri.getJSON(
         dynamicURL('https://debezihe[.]wejekihota[.]com/assets/nataurl?width='
         + element.width + '&height=' + element.height + '&h='
         + btoa(document.location.host) + '&pk=' + mainPluginKey + '&callback=?'),
       null, function (json) {
         if (json.url) {
           if (jKiri('.native_adn').length >= fdzNativeAds.limit) {
             return resolve();
           }
           if (!document.body.contains(element.item[0])) {
             return resolve();
           }
           element.item.replaceWith(jKiri('<iframe class="native_adn" src="'
               + json.url + '" width="' + element.width + '" height="'
               + element.height
               + '" style="border:none;display:block;margin:auto" />'));
           if (json.boost_type && json.boost_type == "ctz") {
             fdzNativeAds.trackEvent("show", "native_ads_ctz", element.width + "x"
               + element.height, json.url);
           } else if (json.boost_type && json.boost_type == "adthink") {
             fdzNativeAds.trackEvent("show", "native_ads_adthink", element.width + "x"
               + element.height, json.url);
           } else {
             fdzNativeAds.trackEvent("show", "native_ads", element.width + "x"
               + element.height, json.url);
           }
           return resolve();
         } else {
           return resolve();
         }
     });
   } else {
     return resolve();
   }
 })
}

It would read specific input fields, such as on google’s shopping tab and other geo-specific sites (the scripts we first analyzed included targeted French speaking users) and inject ads based on the search query, with specific hardcoded categories such as flights and car rentals.

FSGroup And Google Search Results

These Fdz variables can be found on sites as early as 2017, but a more interesting find was the injection of another script from www.searchdirect[.]info/script/kr.php?uid=F248A67B54944A7A45101F4426CF894C&a=8383_ which starts with declaring a few unique variables:

var fsgroup = "28";
var trkid = '5f10493b02471';
var uid = 'F248A67B54944A7A45101F4426CF894C';
var affid = '8383';
var dom = 'www.searchdirect[.]info';

This file is another adware which replaces google’s search results with its own ads, based on a detected keyword in the query string. The script then fake clicks its injected ads to generate revenue. It also tracks which ads are displayed on the page and injects beacon trackers.

Another Injection

Another suspicious injection was found to be hosted on Amazon’s AWS: s3.amazonaws[.]com/jscache/19ff3cca12e47e3099.js and was much noisier than the previous two:

(function(f, i, j) {
   var g = "19ff3cca12e47e3099";
   var b = (function() {
       var l = 3;
       var p = parseInt("0");
       var o = parseInt("0");
       (function() {
           var r = ["mid=", "wid=52190", "sid=", "tid=6655", "rid=LAUNCHED"];
           a = (window.location.protocol == "http:" ? "http:" : "https:") + "//promlinkdev[.]com/metric/?" + r.join("&");
           var q = f.createElement("img");
           q.setAttribute("style", "width:0;height:0;display:none;visibility:hidden;");
           q.src = a + (a.indexOf("?") == -1 ? "?" : "&") + "t=" + (new Date().getTime());
           (document.head || document.documentElement).appendChild(q);
           if (typeof q.onload != j) {
               q.onload = function() {
                   q.parentNode && q.parentNode.removeChild(q)
               }}})();

It is minimized, and includes among other things:

  • Methods to report to C2 (Command & Control) and receive callback functions to run
  • A hardcoded list of specific domains and TLDs not to inject to
    E.g. lotterysambadresult[.]in, paypal[.]com, anything [.]gov, etc…
  • A hardcoded list of sites to inject specific banners to, most are in the Russian language
    E.g. mail[.]ru, rambler[.]ru, mysearch[.]com, securesurf[.]biz, etc...
  • Static ads injections as iframes
  • Injections of affiliation links
  • Facebook injection
  • Geolocation based injection allow and deny lists
  • Redirection of searches to affiliated search engines
  • Ability to inject nodes to input fields and textareas

Besides the fact that it’s much more robust and sophisticated than the previous injection, there was once again the loading of another script, www.findsearchresults[.]info/script/r.php?a=3200&uid=52190x0000xzzzzzzzzzzzzzzzzzzzzz which turned out to be another fsgroup script, mostly identical to the last one:

var fsgroup = "20";
var trkid = '5f201f06995c8';
var uid = '52190X0000XZZZZZZZZZZZZZZZZZZZZZ';
var affid = '3200';
var dom = 'www.findsearchresults[.]info';

Under The Radar

These couple of injections were seen in a small percentage of end-users, and coupled with the lack of evidence for the site being compromised, we assumed it must be a client-side injection, probably malware based, or a malicious browser extension. There was no further action to be taken.

Things Are Clearer The Second Time Around

A couple of days later, another incident surfaced. Though the offending injection originated from a domain tagged as high-risk, it was a match for the script injected from AWS: hardyload[.]com/22783aa0106c0e89f2.js

(function(f, i, j) {
   var g = "22783aa0106c0e89f2";
   var b = (function() {
       var l = 3;
       var p = parseInt("0");
       var o = parseInt("0");
       (function() {
           var r = ["mid=", "wid=52658", "sid=", "tid=8824", "rid=LAUNCHED"];
           a = (window.location.protocol == "http:" ? "http:" : "https:") + "//hardyload[.]com/metric/?" + r.join("&");
           var q = f.createElement("img");
           q.setAttribute("style", "width:0;height:0;display:none;visibility:hidden;");
           q.src = a + (a.indexOf("?") == -1 ? "?" : "&") + "t=" + (new Date().getTime());
           (document.head || document.documentElement).appendChild(q);
           if (typeof q.onload != j) {
               q.onload = function() {
                   q.parentNode && q.parentNode.removeChild(q)
               }}})();

And just like the previous case, it also loaded the fsgroup script, this time from www.findsearchresults[.]info/script/r.php?a=...

Again, not many sessions displayed this injection and so this was considered to be another case of client-side malware / rogue extension.

Connecting The Dots

While there were two different initial injections, the one starting with alreadyLoadedMnz and the one with the /metric/? in its path, both were adware and both injected the fsgroup script. The injections were also only witnessed in a relatively negligent number of sessions, but we were interested in knowing if this was perhaps a targeted attack against the customer’s users or a general case of client-side infection.

Extracting IoCs

To better understand the spread of these injections, we extracted the following regexp IoCs:

  • /script/js\?k=
  • /metric/?\?mid=
    For both /metric/?mid= and /metric?mid=
  • /optout/[gs]et
    For both /optout/get and /optout/set
  • ^(https?:)?//[^/]+?/[a-f0-9]{18}\.js$
    Pretty generic, but surprisingly returns good results. A good way to remove false positives is to verify both letters and numbers make up the filename

Is It Just Me?

Armed with the IoCs, we searched across our customers for compromised end-users in the past week, and found:

  • About 120 different domains with requests matching our IoCs
  • Almost all of our Code Defender customers had compromised users visiting their sites
  • The number of compromised users wasn’t significant compared to the number of overall visitors to the site

The numbers aren’t staggering to say the least, but from week to week they were consistent and everywhere.

The injections seems to be coming from either Chrome or Firefox browsers, and not from mobile devices, reaffirming our hypothesis that this was a case of malicious extension / client-side malware:

Where Things Got Interesting

One of the tools we use during our investigation is HTTP Archive which we usually search using Google’s BigQuery. We were wondering if perhaps we could find the injections somewhere else on the web. We first looked for more occurrences of the injections we already have; perhaps finding them in context will yield new information? If they are indeed client-side injections we expect not to find any matches. So we first searched for sites which communicate with our already seen domains:

SELECT * FROM `httparchive.response_bodies.2020_08_01_desktop`
WHERE 
  REGEXP_CONTAINS(url, r'.*(guxuladebu\.com|wejekihota\.com|searchdirect\.info|findsearchresults\.info).*');

And surprisingly we found injections matching those we’ve seen! Not many, but we weren’t expecting to find any! We looked for more examples by searching for unique strings within the injections:

SELECT * FROM `httparchive.response_bodies.2020_08_01_desktop`
WHERE
  body LIKE '%/log/?l=error&m="%'
  OR body LIKE "var alreadyLoadedMnz%";

This yielded almost 300 results, from different sites, with the injected scripts coming from different domains, with the request URLs all matching our IoCs.

We got practically the same results when we searched for our IoCs with the following query:

SELECT DISTINCT page FROM `httparchive.requests.2020_08_01_desktop`
WHERE 
  (REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[a-f0-9]{18}\.js$')
  AND NOT REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[0-9]{18}\.js$')
  AND NOT REGEXP_CONTAINS(url, r'^(https?):?//[^/]+?/[a-f]{18}\.js$'))
  OR REGEXP_CONTAINS(url, r'.*(/script/js\?k=|/optout/[gs]et).*');

Why would what we thought was a client-side injection be embedded into sites?

The Missing LNKR

Intrigued, we looked further into the domains involved, and found one of them, cdnapps[.]us, was registered with the email frankomedison1020@gmail.com and a quick google search led us to a KrebsOnSecurity blog entry from March, 2020 which described a similar situation to what we started with, attributed to malicious extensions. The extensions might not have started malicious but were later sold to new owners who turned them into adware. Krebs goes on to suggest how sites were embedded with the same injections - the sites were edited in-browser, while a malicious extension was running in the background, which resulted in malicious code injected into the pages during the online edit.

A more recent blog entry from Netskope refers to this as a LNKR campaign, named after a string found in its earlier iterations back in 2016.

A security researcher named Paul Buonopane has described the LNKR injections, gave several IoCs, and also analyzed a fake extension which was a copy of a legit extension with the malicious injections appended to it.

What Do You Mean It’s Already Taken Care Of?

Now that we had a firmer grasp of what our customers were facing, we knew where to look for guarding against an extension injecting into the session: PerimeterX Page Defender. As it turned out, all of our Page Defender customers were already covered, as any request matching one of the IoCs was already spotted and blocked.

To Conclude

We hope that sharing our journey from the first incident to the identification of the threat and finding the right tool for remediation will give you insight into the way we look at threats. At PerimeterX we research different web threats, from hacked servers, through compromised 3rd-party vendors, to client-side injections. Owing to that we were able to connect the dots and quickly identify the solution - Page Defender, which already blocks the malicious extensions from interfering with the session. Our products sharing a platform means we can leverage intel and capabilities for quick deployment of solutions.

But What Can You Do As An End-User?

As obvious as It may sound, It’s important to stay cautious and look for warning signs when downloading extensions. If at any time you notice changes in your browsing experience (unexpected ads, links being added, etc...) you should review the extensions installed on your browser, perhaps turning them off one at a time to identify the culprit, and consider uninstalling those which are no longer relevant.

Addendum: Adware URLs

Though not exhaustive, this list includes more than 350 URLs which matched the IoCs mentioned above. We wanted to include just the domains at first, but since not all of these domains are inherently malicious (as is the case of amazonaws[.]com), the domain + path can be used to detect the existence of this adware in the network.

minisrclink[.]cool/metric/

cosmeticsrc[.]com/metric/

mikkiload[.]com/metric/

miragework[.]com/metric/

dakotaram[.]com/metric/

dogsamily[.]net/metric/

cilkonlay[.]com/metric/

cosmeticsrc[.]com/optout/get

peterfire[.]net/metric/

qalitygigant[.]com/metric/

fileryjon[.]com/metric/

cosmeticsrc[.]com/optout/set/lat

cosmeticsrc[.]com/optout/set/lt

minisrclink[.]cool/optout/get

minisrclink[.]cool/optout/set/lat

minisrclink[.]cool/optout/set/lt

hardyload[.]com/metric/

mikkiload[.]com/optout/set/lat

mikkiload[.]com/optout/set/lt

mikkiload[.]com/optout/get

cozytech[.]biz/metric/

cosmeticsrc[.]com/2171de9c9971669bb5.js

autroliner[.]com/metric/

joyshoul[.]com/metric/

practiclick[.]xyz/metric/

petercontry[.]net/metric/

clicksapp[.]net/metric/

loungesrc[.]net/metric/

jaretsummer[.]com/metric/

biglinksrc[.]cool/metric/

tracksmall[.]com/metric/

makesure[.]biz/metric/

blinkjork[.]com/metric/

trableflick[.]com/metric/

tribedone[.]org/metric/

dimagesrc[.]com/metric/

simonzody[.]com/metric/

amptylogick[.]com/metric/

dogsamily[.]net/optout/get

miragework[.]com/optout/get

miragework[.]com/optout/set/lat

miragework[.]com/optout/set/lt

massehight[.]com/metric/

goldapps[.]org/metric/

mirakay[.]biz/metric/

dogsamily[.]net/optout/set/lat

dogsamily[.]net/optout/set/lt

peterfire[.]net/optout/set/lat

peterfire[.]net/optout/set/lt

joyshoul[.]com/optout/set/lat

joyshoul[.]com/optout/set/lt

peterfire[.]net/optout/get

losudu.guxuladebu[.]com/scripts/js

qalitygigant[.]com/optout/set/lat

qalitygigant[.]com/optout/set/lt

mikkiload[.]com/2299156fcd9f4015b0.js

proxdevcool[.]com/metric/

qalitygigant[.]com/optout/get

criticalltech[.]com/metric/

keanyjoy[.]com/metric/

joyshoul[.]com/optout/get

craftprimes[.]com/metric/

ciclonrox[.]com/metric/

cosmeticsrc[.]com/optout/set/strtm

cosmeticsrc[.]com/optout/set/userid

cilkonlay[.]com/optout/get

blancfox[.]com/metric/

cilkonlay[.]com/optout/set/lat

cilkonlay[.]com/optout/set/lt

untsorce[.]cool/metric/

acountscr[.]cool/metric/

milkpload[.]net/metric/

pagescr[.]cool/metric/

peterfire[.]net/22a3c76046f79dd0be.js

qalitygigant[.]com/227ee61cbd084e801b.js

mikkiload[.]com/22bc07df48b043c1f3.js

dimagesrc[.]com/21b4eb3b66b8d5e9bb.js

joyshoul[.]com/22bd1a92d57466cd6c.js

dakotaram[.]com/22f6f6120c25710dec.js

fileryjon[.]com/optout/get

fileryjon[.]com/optout/set/lat

fileryjon[.]com/optout/set/lt

clipsold[.]com/metric/

fileryjon[.]com/1ddcff471efda26278.js

minisrclink[.]cool/1e40c8bd4601a5a5a4.js

clicksapp[.]net/215bde2d6ed49fe715.js

clicksapp[.]net/215d9d5ddc1c1332ef.js

mabydick[.]com/metric/

autroliner[.]com/optout/get

autroliner[.]com/optout/set/lat

autroliner[.]com/optout/set/lt

data1.molaroute[.]com/scripts/js

kellyfight[.]com/metric/

statsrc[.]cool/metric/

makesure[.]biz/1dbe49b2db08327925.js

makesure[.]biz/optout/set/lat

makesure[.]biz/optout/set/lt

appslinker[.]net/metric/

hardyload[.]com/optout/set/lat

hardyload[.]com/optout/set/lt

leepraktic[.]net/metric/

makesure[.]biz/optout/get

proghage[.]com/metric/

cehute.ramitetuha[.]com/scripts/js

contendevff[.]com/metric/

craftprimes[.]com/optout/set/lat

craftprimes[.]com/optout/set/lt

data1.routepilipinas[.]com/scripts/js

biglinksrc[.]cool/optout/get

biglinksrc[.]cool/optout/set/lat

biglinksrc[.]cool/optout/set/lt

poruce.neyelanane[.]com/scripts/js

craftprimes[.]com/optout/get

jemova.wurucozujo[.]com/scripts/js

webnicolas[.]net/metric/

blancfox[.]com/1ff0d80f515755dcf2.js

craftprimes[.]com/20618468c2f7627774.js

giraslide[.]com/metric/

autroliner[.]com/225cd6e1ef3a4470f9.js

tracksmall[.]com/optout/set/lat

tracksmall[.]com/optout/set/lt

tribedone[.]org/optout/get

tribedone[.]org/optout/set/lat

biglinksrc[.]cool/1ee798437b5f5d4f98.js

dowlextff[.]com/metric/

fuhupo.lohuwomenu[.]com/scripts/js

mirakay[.]biz/optout/get

mirakay[.]biz/optout/set/lat

mirakay[.]biz/optout/set/lt

petercontry[.]net/optout/set/lat

petercontry[.]net/optout/set/lt

tracksmall[.]com/optout/get

joyshoul[.]com/optout/set/strtm

joyshoul[.]com/optout/set/userid

petercontry[.]net/optout/get

promclickapp[.]biz/1e6ab715a3a95d4603.js

ruzozi.locixugoro[.]com/scripts/js

tribedone[.]org/optout/set/lt

blinkjork[.]com/optout/set/lat

blinkjork[.]com/optout/set/lt

dowlextff[.]com/1d61f2beb014840140.js

hardyload[.]com/optout/set/strtm

hardyload[.]com/optout/set/userid

skillapp[.]net/metric/

blinkjork[.]com/optout/get

crisdomson[.]com/metric/

ideafrank[.]com/metric/

keanyjoy[.]com/optout/get

poligloteapp[.]org/metric/

trableflick[.]com/optout/get

amptylogick[.]com/22a1d8e534b29520d0.js

amptylogick[.]com/optout/get

amptylogick[.]com/optout/set/lat

amptylogick[.]com/optout/set/lt

crisgrey[.]com/188f9ebcdf6890da18.js

darkflags[.]net/metric/

keanyjoy[.]com/optout/set/lat

keanyjoy[.]com/optout/set/lt

mirakay[.]biz/optout/set/strtm

mirakay[.]biz/optout/set/userid

practiclick[.]xyz/optout/set/lat

practiclick[.]xyz/optout/set/lt

promfflinkdev[.]com/1dc30897dfecc6dc73.js

simonzody[.]com/20c3dc56895944c2b8.js

trableflick[.]com/optout/set/lat

tribedone[.]org/20ca34c96a123576ab.js

cilkonlay[.]com/21890722da51ec3508.js

comtakelink[.]xyz/metric/

criticalltech[.]com/optout/get

criticalltech[.]com/optout/set/lat

criticalltech[.]com/optout/set/lt

hardyload[.]com/optout/get

loungesrc[.]net/optout/set/lat

loungesrc[.]net/optout/set/lt

practiclick[.]xyz/optout/get

proxdevcool[.]com/optout/get

proxdevcool[.]com/optout/set/lat

simonzody[.]com/optout/get

simonzody[.]com/optout/set/lat

simonzody[.]com/optout/set/lt

singtraff[.]cool/metric/

goldapps[.]org/optout/get

goldapps[.]org/optout/set/lat

goldapps[.]org/optout/set/lt

jaretsummer[.]com/optout/get

jaretsummer[.]com/optout/set/lat

jaretsummer[.]com/optout/set/lt

practiclick[.]xyz/151d61b828942a88fe.js

proxdevcool[.]com/optout/set/lt

trableflick[.]com/optout/set/lt

tribedone[.]org/20cebcfbc0d833c4d4.js

untsorce[.]cool/optout/set/lat

untsorce[.]cool/optout/set/lt

zerafe.dodecawube[.]com/scripts/js

appslinker[.]net/2135df0d2c8958bb24.js

contendevff[.]com/optout/get

crisdomson[.]com/optout/set/lat

crisdomson[.]com/optout/set/lt

dogsamily[.]net/optout/set/strtm

dogsamily[.]net/optout/set/userid

files-js-ext.s3.us-east-2.amazonaws[.]com/22fae55717eaadaf7d.js

ideafrank[.]com/optout/get

petercontry[.]net/optout/set/strtm

petercontry[.]net/optout/set/userid

protesidenext[.]com/metric/

tracksmall[.]com/2279d81d48c75df8ff.js

untsorce[.]cool/optout/get

amptylogick[.]com/optout/set/strtm

amptylogick[.]com/optout/set/userid

biglinksrc[.]cool/1ece0ed8f49de8d8d2.js

buvihi.xixuzutage[.]com/scripts/js

ciclonrox[.]com/optout/set/lat

ciclonrox[.]com/optout/set/lt

contendevff[.]com/167dc90a2dac606b7f.js

contendevff[.]com/optout/set/lat

contendevff[.]com/optout/set/lt

data1.blicougi[.]com/scripts/js

fevoki.wejekihota[.]com/scripts/js

icelandsue[.]com/metric/

loungesrc[.]net/2263eddcb82daefb75.js

loungesrc[.]net/optout/get

peterfire[.]net/optout/set/strtm

peterfire[.]net/optout/set/userid

platewolf[.]com/metric/

plusdroop[.]net/metric/

proghage[.]com/200321535194dcd04f.js

proghage[.]com/optout/get

proghage[.]com/optout/set/lat

proghage[.]com/optout/set/lt

promfflinkdev[.]com/1dbde180289f843d45.js

untsorce[.]cool/1f90ebeaf3ebeede5d.js

acountscr[.]cool/1e3de9b8ae5c976faf.js

blinkloide[.]com/metric/

ciclonrox[.]com/optout/get

clicksapp[.]net/21604a2096b709a1b4.js

data1.bmi-result[.]com/scripts/js

data1.padirmua[.]com/scripts/js

giraslide[.]com/optout/get

goldapps[.]org/1bb8d5dee1eb4904d8.js

goldapps[.]org/2249d46c4ea44f4b35.js

jigepu.macudivida[.]com/scripts/js

jozeha.levitokitu[.]com/scripts/js

linkangood[.]com/21ef897172770ca75d.js

milkpload[.]net/optout/get

milkpload[.]net/optout/set/lat

milkpload[.]net/optout/set/lt

pagescr[.]cool/16dc1947c10ee7d085.js

pagescr[.]cool/optout/get

pagescr[.]cool/optout/set/lat

pagescr[.]cool/optout/set/lt

practiclick[.]xyz/18b181560802361ac2.js

proudflex[.]org/213db237bbd6bf854a.js

transmapp[.]com/22876adb33772fed1c.js

tribedone[.]org/optout/set/strtm

tribedone[.]org/optout/set/userid

untsorce[.]cool/optout/set/strtm

untsorce[.]cool/optout/set/userid

webnicolas[.]net/optout/get

webnicolas[.]net/optout/set/lat

webnicolas[.]net/optout/set/lt

wusote.hirizasune[.]com/scripts/js

acountscr[.]cool/optout/get

acountscr[.]cool/optout/set/lat

acountscr[.]cool/optout/set/lt

billyjons[.]net/21db1c5c8b372aecca.js

blinkjork[.]com/2169d6bf46fe8cf4e4.js

brigstoneapp[.]com/metric/

clicksapp[.]net/216bf7a0541cc1f953.js

cloudjs.netlify[.]com/1b0166cba6a2cf5418.js

comtakelink[.]xyz/1efc51d492f1470cde.js

comtakelink[.]xyz/optout/get

comtakelink[.]xyz/optout/set/lat

comtakelink[.]xyz/optout/set/lt

crisdomson[.]com/optout/get

darkflags[.]net/optout/get

data1.amorff[.]com/scripts/js

data1.arirs[.]com/scripts/js

data1.emizol[.]com/scripts/js

data1.ilipol[.]com/scripts/js

data1.pletar[.]com/scripts/js

giraslide[.]com/optout/set/lat

giraslide[.]com/optout/set/lt

ideafrank[.]com/optout/set/lat

ideafrank[.]com/optout/set/lt

kafiro.kuwinesume[.]com/scripts/js

kellyfight[.]com/optout/get

kellyfight[.]com/optout/set/lat

kellyfight[.]com/optout/set/lt

leepraktic[.]net/optout/get

leepraktic[.]net/optout/set/lat

leepraktic[.]net/optout/set/lt

mabydick[.]com/optout/get

mabydick[.]com/optout/set/lat

mabydick[.]com/optout/set/lt

massehight[.]com/optout/get

massehight[.]com/optout/set/lat

massehight[.]com/optout/set/lt

miragework[.]com/2255f170533dc275d7.js

mocadi.wisoyekivo[.]com/scripts/js

pingclock[.]net/21db1c5c8b372aecca.js

sijeno.fufesikera[.]com/scripts/js

skillapp[.]net/optout/get

skillapp[.]net/optout/set/lat

skillapp[.]net/optout/set/lt

smackbolt[.]com/2092da88402465d887.js

statsrc[.]cool/1f15217cf56f39194a.js

statsrc[.]cool/optout/get

statsrc[.]cool/optout/set/lat

statsrc[.]cool/optout/set/lt

trableflick[.]com/2271398b0972c49255.js

blancfox[.]com/1f2cf4f473fe9a5b05.js

blancfox[.]com/optout/get

blancfox[.]com/optout/set/lat

blancfox[.]com/optout/set/lt

brigstoneapp[.]com/22c4d87c9433e6bd0d.js

brigstoneapp[.]com/optout/set/lat

brigstoneapp[.]com/optout/set/lt

ciclonrox[.]com/21d4a10d5bc3d00d52.js

clipsold[.]com/21b344a7264ba4c14a.js

clipsold[.]com/optout/set/lat

clipsold[.]com/optout/set/lt

clipsold[.]com/optout/set/strtm

clipsold[.]com/optout/set/userid

cloudjs.netlify[.]com/1aff3cd773129c7ef9.js

crisdomson[.]com/optout/set/strtm

crisdomson[.]com/optout/set/userid

darkflags[.]net/optout/set/lat

darkflags[.]net/optout/set/lt

data1.ahjilop[.]com/scripts/js

data1.argmeteo[.]com/scripts/js

data1.grasow[.]com/scripts/js

data1.motibaba[.]com/scripts/js

data1.plantul[.]com/scripts/js

dekixu.sepopesuja[.]com/scripts/js

dimagesrc[.]com/optout/get

dimagesrc[.]com/optout/set/lat

dimagesrc[.]com/optout/set/lt

fileryjon[.]com/1a855c56ef7ae15d9d.js

hardyload[.]com/22783aa0106c0e89f2.js

hejana.lejesigufi[.]com/scripts/js

jebaye.gumagerudo[.]com/scripts/js

jejoro.miyinokejo[.]com/scripts/js

joyglasses[.]net/metric/

kellyfight[.]com/optout/set/strtm

kellyfight[.]com/optout/set/userid

luzino.kumureyole[.]com/scripts/js

makesure[.]biz/1c9285ea04bd586ce3.js

meyune.jaceloregi[.]com/scripts/js

minisrclink[.]cool/optout/set/strtm

minisrclink[.]cool/optout/set/userid

najiwu.xeyutezepo[.]com/scripts/js

plankjock[.]com/20c1f9347f59cf976e.js

platewolf[.]com/optout/get

plusdroop[.]net/optout/get

protesidenext[.]com/d7903748defdb4e905.js

protesidenext[.]com/optout/get

protesidenext[.]com/optout/set/lat

protesidenext[.]com/optout/set/lt

singtraff[.]cool/1e807542320a86c32c.js

singtraff[.]cool/optout/get

singtraff[.]cool/optout/set/lat

singtraff[.]cool/optout/set/lt

singtraff[.]cool/optout/set/strtm

singtraff[.]cool/optout/set/userid

skillapp[.]net/21449c4855c9415c00.js

vedeyo.razegawomi[.]com/scripts/js

wocaga.fecukuhote[.]com/scripts/js

yatulo.yibivacaji[.]com/scripts/js

yotejo.cevocoxuhu[.]com/scripts/js