Disapproved Google ads malicious software freevps.io, fabia-her.com, adalgard-wol.com, barah-flo.com

Hi everyone, I’m having difficulties finding malware on a Shopify site.

Domains reported by Google Ads: freevps.io, fabia-her.com, polyhymnia-mar.com, barah-flo.com and adalgard-wol.com. The last three domains reported are sharing the same IPs:

34.195.129.193, 52.73.147.241.

A complex redirect is being reported, so I’m thinking maybe an app is compromised.

Similar pattern here: https://zhouhanc.github.io/malware-discoverer/daily_report/64_32_8_68_TIME_2021-10-19_Android.html

Here’s an example:

hxxp://barah-flo.com/zcvisitor, hxxp://freevps.io/, hxxps://mttrk.clonepod.co/aff_c?offer_id=201

The site I’m working on is using Shogun builder, along with several apps:

WickedReports, POWR Social Media Icons, Shipping Tracker by DevCloud, Privy - Pop Ups Email & SMS, One Click Upsell - Zipify OCU, Rewind Copy (formerly Replay), Back in Stock, DropStream, Segment.com Connection, DataFeedWatch, Hyros, Google, Script Editor, Metafields Guru, Shogun Page Builder, DeployBot, LoyaltyLion rewards & referral, Matrixify, Recart FB Messenger Marketing, Everflow, Fraud Filter, Flexify: Facebook Product Feed, Facebook, CartHook Checkout, HubSpot, Fomo - Social Proof Marketing, Recurring Billing by Recharge, Kaleido PageLoad Magic, Okendo: Product Reviews & UGC.

I’m posting this so that other users, with the same type of issue, may share their experiences.

Let me know if you’ve dealt with a similar situation recently.

Hey @magefix

Renars here from Matrixify.
Thank you for mentioning us and sorry to hear about your trouble.

Matrixify app can create a lot of things in your store, including URL Redirects and many other actual data such as Products, Orders, Customers, etc.
That being said - we would not import/create any data that you do not have specified in the file, so if you are the only one using the app and are sure of what you are importing, then the issue might be coming elsewhere.
App also does not connect to or change anything in the Shopify themes code.

I think the best approach would be reaching out to Shopify support and asking if their technical team can look more into the issue to locate this problem. Chances are that they might have seen something similar in the past.

You can also always look into using our app to export Redirects from the store, to see maybe you have some redirects that should not be there so you can bulk delete them.
Also, it could be useful to export Products and Collections with basic data and check their description HTML code in the “Body HTML” column to see if there is no suspicious HTML or JavaScript code.

We hope that you will find a solution to this issue one way or another!
If you need any assistance with the Matrixify app to check, update, create or delete something in bulk - please let us know by reaching out to our support.

Thank you @Renars for your detailed reply.

So far, we have found a domain that was reported by Netcraft as malicious: cb28utrk.com. They said that “Pages on this URL are marked as malicious because they were loading a JavaScript skimmer on the domain cb28utrk.com , however after refetching these pages it appears that the credential skimming content has been removed.”

The script was loaded from Everflow app. After we deleted the app, malicious code is gone.

We drove this conclusion from the link pattern.
hxxps://www.cb28utrk.com/scripts/shopify/click.js?nid=733&intid=1&shop=shop.myshopify.com. It seems that cb28utrk.com domain expired a while ago and it was registered again on 2021-09-24

Here’s a legitimate Everflow link: hxxp://www.wb22trk.com/scripts/shopify/click.js?nid=896&intid=11&shop=testoprime-au.myshopify.com

And their code explained - which can be found with wb22trk.com: https://developers.everflow.io/docs/everflow-sdk/click_tracking/#extracting-data-from-the-url