Another Wordpress Attack?

I’ve been seeing sites during HITS work that redirect to links like this:
hxxp://hstraffa.com/l?link=56b626820cf2a8a3ef292a55&subid=06022016noref&source=06022016noref&lt=REDIRECT
Which then redirect to Punishtube and Sl*tRoulette.

Is this remainders of a previous attack or a new one? Either way, avast isn’t catching the redirect.

Since it’s HITS work, I don’t have the originating url, since it redirects before I can see it, and it doesn’t let me go back. I’ll keep trying to catch one.

EDIT: Got one.
hxxp://aliceproperty.com/ckrif/gambar-air-mani-wanita.html

The link you provide is from a known PHISH and both blacklisted by Quttera
and by PHISH Tank as verified and currently online: https://www.phishtank.com/phish_detail.php?phish_id=3668655
confirmed here: https://www.virustotal.com/en/url/a8ffd07ceb1528fb2d250e914eba4ebff5970e081905c282a2c89fcaf4847ea1/analysis/1456407794/
Website risk status 7 red out of 10: http://toolbar.netcraft.com/site_report/?url=http%3A%2F%2Faliceproperty.com
Norton flags it for phishing attacks.
You see the latest detected on this URL here: https://www.virustotal.com/en/ip-address/221.132.34.133/information/
Avast should detect this as Faceliker and their detection is called: JS:Autolike-K [Trj]
this is a fraudulent like clicker trojan → https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanClicker:JS/Faceliker.B It may also infest add-ons/extensions in your browser.

polonus

If you go to the VT for the specific link I sent, you can see that the detect is only 1/67.
https://www.virustotal.com/en/url/a8ffd07ceb1528fb2d250e914eba4ebff5970e081905c282a2c89fcaf4847ea1/analysis/

It’s really not about this one url anyway. I’ve been seeing them all day. I can provide a further list, if you want, but they all redirect to hstraffa, so avast responding to that would be a start.

More:
hxxp://miyanji.com/wordpress/wp-content/yapqvro/Ucapan-selamat-tahun-baru-dalam-bahasa-indonesia.php
hxxp://forumkim.malangkota.go.id/wuhg9/upin-ipin-video-mp3.html
hxxp://focusassociates.com/zjfhp/kartika-photo-inbok.html
hxxp://indeesbakery.com/wp-content/plugins/cache/jlfrt/foto-biduan-hot-di-pentas.html
hxxp://rawfoodromance.com/15lr362y2/dp-doa-pisah-sambut-tahun.php

The VT scan in regards to URLs isn’t really a scan at all, it is checking the URL against blacklists, it isn’t a live scan in the same way as you upload a file for scanning.

I wasn’t aware of that.
I just saw that the redirect wasn’t being stopped, and since I was seeing them in huge numbers on my HITS work (those 5 were in less than 5 minutes, and my rate is around 3 sites a minute). I almost missed the fact it was happening except I seeing the sites it was redirecting to a lot, and then I noticed they were all redirecting through the same site.
I can keep providing a list of infected sites, but I don’t want to spam the forum, unless it would be of use.

Hi DavidR,

You are right that -hstraffa dot com is at the culprit of these malicious redirects.
I get a 404 Not found even on the IP: http://toolbar.netcraft.com/site_report?url=http://88.214.197.35
http://hstraffa.com/l?link=56b626820cf2a8a3ef292a55&subid=06022016noref&source=06022016noref&lt=REDIRECT is in Dr.Web malicious sites list! So Avast should block it also, as you say “that’s for starters”.
I would not trust Pr0n video downloads anyway! They also violated copyright and had to remove content: https://www.google.com/transparencyreport/removals/copyright/domains/hstraffa.com/
Sucuri gives website as with malware: Website Malware MW:HTA:7 http://hstraffa.com/l,malicious-redirect,2015-12-22,1450778901 Blacklisted IP: http://labs.sucuri.net/malware-data/hstraffa.com
IP badness history: https://www.virustotal.com/en/ip-address/88.214.197.35/information/
But redirects are up, live and kicking malcode: https://oscarotero.com/embed/demo/index.php?url=http%3A%2F%2Fhstraffa.com%2Fl%3Flink%3D56b626820cf2a8a3ef292a55%26subid%3D06022016noref%26source%3D06022016noref%26lt%3DREDIRECT&options[minImageWidth]=0&options[minImageHeight]=0&options[facebookAccessToken]=&options[embedlyKey]=&options[soundcloudClientId]=YOUR_CLIENT_ID&options[oembedParameters]=
Look here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fhstraffa.com%2Fl%3Flink%3D56c6ed680cf21eaad35da73d%26subid%3D%26source%3DDE-Eplus-v%26lt%3DDIRECTLINK

And the one for which we started all of this discussion, here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fhstraffa.com%2Fl%3Flink%3D56b626820cf2a8a3ef292a55%26subid%3D06022016noref%26source%3D06022016noref%26lt%3DREDIRECT
It has Google dynamic remarketing tag code & Google Merchant Promotion Code on.
Well Google’s attitude could be characterised as a bit with double standards - they facilitate adtracking to earn from the site’s clicks on the one hand, while at the same time Google helps to remove copyrighted material from it when copyright owners demand it. :stuck_out_tongue:

polonus

Got another one I’m seeing a lot of. More redirects.
Example site:
hxxp://americancollegeofaestheticsurgery.com/ozfhvhg/Skuad-persib-untuk-lawan-bali-united.php

Redirects to:
hxxp://www.wirelesstube.mobi/#

Redirects again:
hxxps://mobrevflwms.com/h/df043372-e12b-11e5-9d98-014078369201/c/eb029ef2-9529-11e5-b565-02f6361de079/?_i=1&_s=4e17d724-e126-11e5-8640-1140476a8233&_r=www.wirelesstube.mobi&clickid=1005600000112767792-201603-7308cea9be&pubid=22152&_d=2|0|0|0|1|1|||1600x900||74-b980b3e0|0|0|58

Redirects again:
hxxp://mobfactory.info/r/df1a1354-e12b-11e5-acca-114041aa9ebb/0/

Finally ends up here:
hxxp://myinternetspeed.co/?offer_id=377&aff_id=49&aff_sub=CD14919&aff_sub2=d4992557-e78f-542f-9cd3-c7651ddc7dac&aff_sub3=e2c4w28464u2u2&placement=368

I get this
in return for checking on: http://americancollegeofaestheticsurgery.com/ozfhvhg/skuad-persib-untuk-lawan-bali-united.php

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /mother/24/readf.php was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

polonus