Deviantart infected?

Sucuri reports art website Deviantart being infected with malware, detecting apparently hidden iframes:

https://sitecheck.sucuri.net/results/deviantart.com

It is a very bad practice to load adds and while the user doesn’t know about it and doesn’t get to see them.

i wouldnt access DA without an adblocker anyway as it does have a shady past of infected ads

deviantart.com
https://virustotal.com/en/file/9f998f715c1eb93040c232de726927f50ea8d4c329d7a162e5ab4d7eabc13dca/analysis/1466277914/

deviantart.com/browse/all/
https://virustotal.com/nb/file/ed949c5c4c5be50686b69f3f604333b38b4bd6828b035b8a7e9e322f773e8358/analysis/1466278098/

I’ve always used Adblock when visiting Deviantart. Today it gave me a banner that requested me to allow ads because advertisement funding. :-\

Has 8 problems here: https://mxtoolbox.com/domain/www.deviantart.com/
A meagre F-Status here: https://sritest.io/#report/46ce95d2-4559-4954-b028-620ab33b57dd
I certainly would adblock this running: Script loaded: -http://edge.quantserve.com/quant.js
See: https://urlquery.net/queued.php?id=1344017943
See comment reports: https://www.mywot.com/en/scorecard/www.deviantart.com?utm_source=addon&utm_content=contextmenu

Test with some good news: Good News! This site is safe from the Logjam attack. It supports ECDHE, and does not use DHE.

pol

Thanks polonus! But the urlqury report’s “Status” seems to get stuck in “Processing” on me. ???

Were there any current malware threats like what reported by Sucuri and Pondus’ Virustotal results?

Hi Pernaman,

Your questions is about Amazon abuse via hxxp://www.da-ads.com/google.html?
Malvertising is the name of the game and the threat here.
And then the question is why does not Google keep these malvertisers at bay for their personalised ads?
da-ads.com is owned by Deviantart and this might probably OK, but most of the ads are open to malvertising!
Also consider this info: https://www.passivetotal.org/register?query=www.da-ads.com.rajatorrent.com&qtype=passive

Wat Sucuri flags is still in that code

662:  < if​rame scrolling="no" frameborder="0" data-da-ad="1" name="ad-atf-top-970x250-34167" data-adcatch-id="ad-atf-top-970x250-34167" data-da-safety="safe" class="hidden-frame-bidder" style="width:970px;height:250px;" src=hxxp://www.da-ads.com/google.html?cb=1465801392#%7B%22size%22%3A%5B970%2C250%5D%2C%22service%22%3A%221008370%5C%2Fca-pub-2005626271413567%22%2C%22slot%22%3A%22atf_top_970x250_v7_today%22%2C%22adsense%22%3A%7B%22adsense_channel_ids%22%3A%226796827591%22%2C%22google_hints%22%3A%22graphic+design%2Cweb+design%2Cgaming%2Cphotography%2Canimation%2Ccomic+books%2Cdigital+images%22%2C%22google_kw%22%3A%22graphic+design%2Cweb+design%2Cgaming%2Cphotography%2Canimation%2Ccomic+books%2Cdigital+images%22%2C%22google_kw_type%22%3A%22broad%22%7D%2C%22da%22%3A%7B%22LoggedIn%22%3A%22No%22%2C%22referrer%22%3A%22google%22%2C%22dailyimp%22%3A1%2C%22sessimp%22%3A1%7D%2C%22qc%22%3A1%2C%22force%22%3Afalse%2C%22acc%22%3Afalse%2C%22additional_sizes%22%3A%5B%5D%2C%22ri%22%3Afalse%2C%22ox%22%3Afalse%2C%22pub%22%3Afalse%2C%22cs%22%3Afalse%2C%22aol%22%3Afalse%2C%22snb%22%3Afalse%2C%22app%22%3Afalse%2C%22svn%22%3Afalse%2C%22azn%22%3Afalse%2C%22gpt_sf%22%3Atrue%2C%22safeframed%22%3A1%2C%22sf_ident%22%3A%22ad-atf-top-970x250-34167%22%2C%22sf_safe%22%3Atrue%2C%22page_safety%22%3A%22safe%22%2C%22dapx%22%3A%7B%22r%22%3A%22565m1773da84e6e2866d87f01ddf4c7ba60b%22%2C%22d%22%3A%229ea6631ccb582c51a7e492cfef3d0179%22%2C%22v%22%3A%22today%22%2C%22c%22%3A1660192477%7D%7D" webkitallowfullscreen mozallowfullscreen allowfullscreen onload="this.style.visibility='visible';"> < / if​rame > < div id="ad-atf-top-970x250-34167-safe" data-da-safety="safe" data-adcatch-id="ad-atf-top-970x250-34167" data-da-ad="1" style=" display: none ;"> < sc​ript > 

see on line 662 here: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.deviantart.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
Sucuri flags it as malware: Details: http://sucuri.net/malware/entry/MW:IFRAME:HD202?v11
But others do not give it as for instance: http://zulu.zscaler.com/submission/show/54fcecd7a45de57a1f79ee29c6b4d678-1466333996
The malware is on a Wilmington cloudfront.net Amazon scripted dot com server in the States: https://www.threatcrowd.org/ip.php?ip=52.85.82.56
and https://www.virustotal.com/en-gb/ip-address/54.230.46.104/information/ & https://cymon.io/54.230.46.104 & not recent: https://www.threatcrowd.org/ip.php?ip=54.230.46.104

On the other deviantart IP there are also issues:
https://www.herdprotect.com/ip-address-54.192.18.33.aspx https://www.reasoncoresecurity.com/ip-address-54.192.18.33.aspx
mainly PUPs.

Therefore we also performed this test here: https://www.htbridge.com/radar/?id=893f128ef508d30ff13baaee998077a0ab1dea709aa62a28f2ace4e9434ec9ae
Check the potential Cybersquatting and Typosquatting results.

polonus

with how big DA is it doesnt surprise me that theres alot of cyber and typo squatting

Hi Lotan,

Apart from that and with good ad- and script-blocking it is a considerable safe and secure website.
The only worry for general and especially younger users often is the uploaded spam content
and also the kinky smut content absolutely not suitable for children,
so go there as an adult and know what content to avoid.
If this is not your thing do not go there. :wink:

polonus