Ads displaying when active

hackrepair
(@hackrepair)

1 month, 2 weeks ago

I’m only posting in case someone is/has experiences unexpected Ads appearing in the footer when installed:

=== Grow for WordPress ===
Contributors: teamgrow
Tags: social, sharing, grow, subscribe
Requires at least: 5.2
Tested up to: 6.8
Requires PHP: 7.4
Stable tag: 1.5.3

A client of mine had this plugin installed in three sites, and all three had Ads displaying in the footer (with a malicious redirect in some ads).

Viewing 6 replies - 1 through 6 (of 6 total)

wpopt
(@wpopt)

1 month, 2 weeks ago

I should point out that I’m not a Grow developer, but I came across this and wanted to comment.

Am I missing something here – ads aren’t served from Grow, they’re going to be served from the ad network script (if this customer is a Mediavine or Mediavine Journey customer then they’ll have a Mediavine control panel plugin installed).

Have you verified that the ads are being output by Grow?

Furthermore, while undesirable, despite their best intentions, malicious ads can slip through ad networks’ checks. We get a handful of reports every year from people who think they’ve been hacked because of a weird redirect or popup, when in fact it’s always caused by a rogue ad. Such behaviour should be reported to the ad network immediately so they can identify and remove the offending ad!
Thread Starter hackrepair
(@hackrepair)

1 month, 2 weeks ago
Yes, that was the main purpose of my post. I’m not pointing fingers. I’m only reporting to the community that on three separate websites (one on a separate unaffiliated web host), a malicious redirect was occurring on each of the three sites (rather randomly).

[Mediavine control panel plugin is not installed on any]
- This reply was modified 1 month, 2 weeks ago by hackrepair.
wpopt
(@wpopt)

1 month, 2 weeks ago
Which ad network, if any, does this user use? I’m not super familiar with Grow, I don’t know if it takes the place of the Mediavine control panel and outputs the script wrapper into the site itself.

You’re being a bit sparse with details – if the sites are *supposed* to have ads showing on them, then a malicious ad needs to be reported to the ad network. It’s not something directly related to this plugin and so reporting it here isn’t the appropriate location for that.

If the sites are *not* supposed to have ads, then this is the appropriate place to report such an issue, assuming you have correctly ascertained that it is indeed this plugin which is responsible for outputting those (and assuming the display of ads isn’t detailed in their terms of use somewhere – in which case the issue still needs to be reported directly to Mediavine)
- This reply was modified 1 month, 2 weeks ago by wpopt.
Thread Starter hackrepair
(@hackrepair)

1 month, 2 weeks ago
1. Ads displayed with periodic redirects when the plugin is active.
2. Stops when the plugin is deactivated.
3. It’s much harder to determine which ads are doing the redirect, as they’re always rotating, etc. By the time the redirect occurs, that “ad” had “fled the scene.”
4. True, I could dedicate hours to monitoring and try to ID the specific ads… But that was not the purpose of this post…
- This reply was modified 1 month, 2 weeks ago by hackrepair.
wpopt
(@wpopt)

1 month, 2 weeks ago

You didn’t mention whether or not these sites are supposed to have ads or not – if they are then I assume Grow is responsible for outputting the script wrapper which serves ads on the site, so the presence of ads in itself isn’t indicative of a problem.

As mentioned, if the sites are not supposed to have ads then this would need to be addressed by the plugin developer.

I’m sorry – I’m not trying to be difficult to you – I’m just a strong believer in clear, well-defined scopes and issue descriptions 🙂
Thread Starter hackrepair
(@hackrepair)

1 month ago
Follow‑up on the use of Grow for WordPress in a malicious redirect campaign created by Jim Walker (@hackrepair). This follow‑up explains how ads can generate malicious redirects. Grow for WordPress isn’t responsible; it’s simply the carrier, as shown below.

Here is the forensic breakdown of the attack:

🚩 The Malicious Flow
1. Entry Point: https://###life.com/
2. Ad-Initiator: https://tpc.googlesyndication.com/ (Google Display Network)
3. Gateway: https://redirhub.top/visit.php (The malicious hop)
4. Landing Page: https://malblocker.xyz/ (Fake “Norton Online Monitor” scareware)
📊 Forensic Details
- Campaign ID: 01JPJV3TBNAPABQYJD2M3WKZXV
- Branding: The landing page uses fake “virus scan” animations to trick users into purchasing software or downloading secondary malware.
- Referer: The HTTP Referer specifically tied the redirect back to the Google Syndication frame on your site.
🚨 Repeatable Proof (The “Smoking Gun”)

I have successfully identified a method to consistently reproduce the redirect, proving it is a session-capped malvertising attack.

🧪 How to Reproduce

To see the redirect yourself or to demonstrate it to Mediavine:
1. Use a Mobile User-Agent: Simulating a mobile device (e.g., iPhone) is a key trigger.
2. Clear Site Data: In Chrome DevTools, go to Application -> Storage -> Clear site data. The malicious script checks for existing cookies; it only fires on “fresh” sessions to avoid detection.
3. Navigate to ###life.com: Load the page in the clean session.
4. Interaction Trigger: Click anywhere on the page or attempt to close an ad unit.
🚩 Definitive Forensic Evidence

The redirect chain was traced to the following initiator:
- Initiator Script: https://tpc.googlesyndication.com/ (Google SafeFrame)
- Gateway Hop: https://redirhub.top/visit.php
- Destination: https://malblocker.xyz/ (Scareware)
- This reply was modified 1 month ago by hackrepair.
- This reply was modified 1 month ago by hackrepair.

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Tags