A malvertising campaign uses decoy websites pushing cryptocurrencies and then redirects users to the RIG exploit kit, Malwarebytes Labs said.
The decoy page contains a third-party JavaScript that appears to be conditionally loaded, based on the visitor's user agent and geolocation, according to a Feb. 28 blog post.
One spoof site carries the url
http://investingtodayfix[dot]top with such enticing copy as “Earns Profit,” “the best invest site” and “we show you how.”
“That JavaScript contains many different ways to fingerprint users and determine whether they are legitimate or not by validating some checks,” says Jerome Segura, Malwarebytes Labs' lead malware intelligence analyst, who called the campaign “Coins LTD.”
