Hi everyone, I'm having difficulties finding malware on a Shopify site.
Domains reported by Google Ads: freevps.io, fabia-her.com, polyhymnia-mar.com, barah-flo.com and adalgard-wol.com. The last three domains reported are sharing the same IPs:
A complex redirect is being reported, so I'm thinking maybe an app is compromised.
Here's an example:
hxxp://barah-flo.com/zcvisitor, hxxp://freevps.io/, hxxps://mttrk.clonepod.co/aff_c?offer_id=201
The site I'm working on is using Shogun builder, along with several apps:
WickedReports, POWR Social Media Icons, Shipping Tracker by DevCloud, Privy - Pop Ups Email & SMS, One Click Upsell - Zipify OCU, Rewind Copy (formerly Replay), Back in Stock, DropStream, Segment.com Connection, DataFeedWatch, Hyros, Google, Script Editor, Metafields Guru, Shogun Page Builder, DeployBot, LoyaltyLion rewards & referral, Matrixify, Recart FB Messenger Marketing, Everflow, Fraud Filter, Flexify: Facebook Product Feed, Facebook, CartHook Checkout, HubSpot, Fomo - Social Proof Marketing, Recurring Billing by Recharge, Kaleido PageLoad Magic, Okendo: Product Reviews & UGC.
I'm posting this so that other users, with the same type of issue, may share their experiences.
Let me know if you've dealt with a similar situation recently.
Renars here from Matrixify.
Thank you for mentioning us and sorry to hear about your trouble.
Matrixify app can create a lot of things in your store, including URL Redirects and many other actual data such as Products, Orders, Customers, etc.
That being said - we would not import/create any data that you do not have specified in the file, so if you are the only one using the app and are sure of what you are importing, then the issue might be coming elsewhere.
App also does not connect to or change anything in the Shopify themes code.
I think the best approach would be reaching out to Shopify support and asking if their technical team can look more into the issue to locate this problem. Chances are that they might have seen something similar in the past.
You can also always look into using our app to export Redirects from the store, to see maybe you have some redirects that should not be there so you can bulk delete them.
We hope that you will find a solution to this issue one way or another!
If you need any assistance with the Matrixify app to check, update, create or delete something in bulk - please let us know by reaching out to our support.
Thank you @Renars for your detailed reply.
The script was loaded from Everflow app. After we deleted the app, malicious code is gone.
We drove this conclusion from the link pattern.
hxxps://www.cb28utrk.com/scripts/shopify/click.js?nid=733&intid=1&shop=shop.myshopify.com. It seems that cb28utrk.com domain expired a while ago and it was registered again on 2021-09-24
Here's a legitimate Everflow link: hxxp://www.wb22trk.com/scripts/shopify/click.js?nid=896&intid=11&shop=testoprime-au.myshopify.com
And their code explained - which can be found with wb22trk.com: https://developers.everflow.io/docs/everflow-sdk/click_tracking/#extracting-data-from-the-url
Have you created a collection on your online store and experienced an issue with adding yo...By Ollie Aug 24, 2022
Connect your PayPal account to allow your customers to checkout using the PayPal gateway a...By Ollie Jul 28, 2022