
Ask HN: Why is this shady actor building a JavaScript botnet? - 55555
I run ChooseJarvis.com with my partner and our team. It&#x27;s a social media automation tool. That&#x27;s not relevant at all, it&#x27;s just my job to tell you that.<p>Our referrer logs show tons of hits from:<p>http:&#x2F;&#x2F;cookie-law-enforcement-ii.xyz&#x2F;<p>This is classic referrer spam.<p>The above site links to<p>http:&#x2F;&#x2F;cookie-consent.org&#x2F;?lang=en<p>Which is a mini marketing project of<p>http:&#x2F;&#x2F;front.to&#x2F;<p>Which according to ahrefs and google, nobody has ever heard of.<p>Looks to me like they&#x27;re building a massive Javascript botnet.<p>Why?<p>There&#x27;s a lot of things you can do, right? Keylog all website visitors (?), replace all adsense units with your own ads, use all the clients&#x2F;visitors as a DDOS botnet, click fraud (?), serve downloads, serve exploits, etc...<p>The developers&#x2F;websites have a sort of effortless polish that makes me more curious than I would otherwise be.<p>If this is indeed shady, and it looks like it, this is scary. I imagine a LOT of webmasters might fall for this.
======
benmcnelly
So front.to doesn't see to be changing the JS you upload (yet) but the js file
at cookie-consent.org is interesting (
//cdn.front.to/libs/cookieconsent.min.js ) got google analytics in there, and
of course could be changed to run whatever at any time... Maybe someone could
use that to identify more about this shady actor?

un-minified js:
[https://gist.github.com/benmcnelly/8e56aa308bef72c7aa007b7c1...](https://gist.github.com/benmcnelly/8e56aa308bef72c7aa007b7c1c6d24a9)

~~~
meroje
Here's the original
[https://github.com/silktide/cookieconsent2/blob/1.0.9/cookie...](https://github.com/silktide/cookieconsent2/blob/1.0.9/cookieconsent.js)
It seems they are actually injecting that google analytics part.

