« previous next »
Pages: [1]   Go Down

Author Topic: blacklisted website being pinged...  (Read 1625 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33921
  • malware fighter
blacklisted website being pinged...
« on: March 26, 2022, 12:16:54 PM »
L.S.

Nir Sofer's tool "smsniff" revealed I did online contact -survey-smiles dot com,
(but blocked by my adblocker of choice)

See https://quttera.com/detailed_report/survey-smiles.com
which is a blacklisted site, on which we find cloaking:

Quote
Checking for cloaking
There is a difference of 60 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that's trying to hide from browsers but make Google think there's something else on the page.
- different adblock key -
Re: https://publicwww.com/websites/parking.bodiscdn.com/

Malicious activity found, hence: https://any.run/report/411c401e6c360af9094a20217b9d6ac1688f59ffda123decfc9c0d46230f31c7/9568444b-1cd5-4af1-b45b-1a0700d86630

NSA snooping abuse: 100% of the trackers on this site could be protecting you from NSA snooping. Tell the blacklisted site to fix this. Adblock blocks.
Tracking (50%) is blocked on website.

Quick Source Review revealing:
Quote
HTML
-survey-smiles.com/
5,776 bytes, 54 nodes

Javascript 5   (external 3, inline 2)
INLINE: /* * This entire block is wrapped in an IIFE to prevent polluting the scope of
621,515 bytes

INLINE: -window.park = "eyJ1dWlkIjoiNWYxMjZmYTYtMWYxMC00Y2JiLWVmYjUtOTgwNGZkMjVkMGRmIiwic
937 bytes

-survey-smiles.com/js/​parking.2.84.4.js
-www.google.com/adsense/domains/​caf.js
-survey-smiles.com/
INJECTED

CSS 6   (external 0, inline 6)
INLINE: #cdac_container { font-family: Arial, sans-serif !important; font-size: 12px !i
1,536 bytes INJECTED

INLINE: .vt-augment { position: relative; display: flex; justify-content:
1,277 bytes INJECTED

INLINE: :root #ads > .dose > .dosesingle, :root .ad-block {display:none !important;}
76 bytes INJECTED

INLINE: .lds-ellipsis { display: inline-block; position: relative; width: 80
1,769 bytes INJECTED

INLINE: @media only screen and (max-width: 600px) { .hidden-xs { opacity: 0
480 bytes INJECTED

INLINE: [object HTMLStyleElement]
25 bytes INJECTED

Is this hidden tracking worth a PUP-detection?
Or is it into quite above board parked-domain tracking activity combined with Google's adsense support?

polonus (volunteer 3rd party cold recon website-security analyst and website error-hunter)
« Last Edit: March 26, 2022, 12:18:36 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33921
  • malware fighter
Re: blacklisted website being pinged...
« Reply #1 on: March 26, 2022, 12:22:26 PM »
The actual problem here is that your defense against such ad-tracking often takes place after your data has aleready left your browser. Blockers block mostly after the fact and data-slurpers already have your data harbored.

Another example not detected by Quttera's: https://quttera.com/detailed_report/putlockertv.se
Mentioned in the campaign survey here: https://publicwww.com/websites/parking.bodiscdn.com/
(over 1 million websites via parking dot bodiscdn dot com involved).

Checked for cloaking and found to do so: https://isithacked.com/check/http%3A%2F%2Fputlockertv.se%2F

pol
« Last Edit: March 26, 2022, 02:22:49 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »