scrinject.b

[Andrzej 0]

Hi, my ESET discovers scrinject.b trojan in the file hxxp://descartes.if.uj.edu.pl/descartes-pl-r.html,  could you
possibly check why ?

Thanks

[Marcos 5,074]

The detection is correct. You use StatCounter for analytical purposes, however, their website was hacked and instead of a legitimate analytical script counter.js it now servers JS/CoinMiner.BS.

You should temporarily remove the code related to StatCounter until they fix the breach and replace the script with a clean one.

[Marcos 5,074]

For more information, please read

https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/

[Steven-UK 1]

I have just spoken to Statcounter, and they are blatantly denying all knowledge of this hack. Every website I own, which is a lot, that has the Statcounter code on is showing the error on the attached image:

 

[Rory Statcounter 0]

Hi I am Rory with the Statcounter team.  We are investigating this issue right now. 

I have installed the eset security program and visited sites with Statcounter where people say we are injecting bad scripts.  I see no warnings or errors from the Eset program.  I have also used Google Safebrowsing tool to scan these sites and it reports no problems.  I have tried other sites which scan for malware and they also report no problems.

I have a special test page which only loads Statcounter.  On this page Eset also gives no error or warning and when I check the network traffic there is nothing being loaded except Statcounter.

If Statcounter was hacked and inserting bad scripts I should see it on my end also since I have Eset installed.  But this is not the case.  So this clue tells us perhaps something else is going on.

Kind regards,
Rory
Statcounter Team

[Steven-UK 1]

Another reply from Statcounter on this situation:

 

Hi and thanks for your patience. I have installed Eset and visited your site and others where people say this problem happens. Eset gives me no warning or popup of any kind. Here is a screen shot showing me at your site with Eset open and all security features enabled:

(removed but it was an image of my website, and did not show any virus, etc)

I have also tested your site using the Google Safe Browsing tool and it reports no problems with your site or Statcounter. I have also tested your site in 2 other tools which do security checks and they report nothing. If you wish to double check my results here are the tools I used:

https://app.webinspector.com/

https://sitecheck.sucuri.net/results/https/www.(removed)

https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2F(removed)%2F

We will continue to investigate this and try to figure out why Eset was showing this warning. All things considered if there was a problem I should see the same Eset warning and the marlware checking sites should have reported something. However this is not the case.

Thanks for your patience!

 

[Steven-UK 1]

Marcos, what do you make of this?

Thanks.

Edited November 6, 2018 by Steven-UK

[Marcos 5,074]

I've provided Rory with more details that should help them locate the malicious code.

[Steven-UK 1]

OK great. I have always found Statcounter to be very good over the years, so hopefully they can solve this, and that it helps them for the future also.

[Steven-UK 1]

PS: I think they may have solved this now, and the pop up is not showing anymore.?

 

I spoke too soon, seems it is fixed on websites with Statcounter wordpress plugins, but not for websites that are using direct Statcounter html code!

 

Update: It now seems this has been fixed. A little strange though that a business the size of Statcounter, with millions of users,  were not aware of the situation, but hopefully that has now completely eradicated the problem.

 

Thank you to Eset, who I have used for years, and always been pleased with their product and service, and thank you to Statcounter for being open to investigation when situations like this arise. .

 

 

 

 

Edited November 6, 2018 by Steven-UK