See: Website: htxp://download.skype.com
Checked URL: htxp://download.skype.com/0dce4e856bdf8239787df5c367298d54/SkypeSetup.exe
Blacklist URL Details:
Blacklisted checked url. Suspected of malicious activity or distributing of malware.
Re: https://www.virustotal.com/nl/url/42e6e0b2a6d4e927e6c50b03b642a3e6616e559e2f446414119f6d39b50247df/analysis/
Probably harmless: https://www.virustotal.com/nl/file/13cef760346afbb30390daa6f6f3f8f7aee111d98e3f3302f7a8f7214b56aff4/analysis/1425303914/
Redirects to: htxp://www.skype.com/go/download
Suspicicious on Javascript check: Suspicious
maxresponsesize: 1000000} }; document.write(unescape(“%3cscript%20src='” + (document.location.protocol == ‘https:’ ? ‘htxps://clicktalecdn.sslcs.cdngc.net/www/’ : 'http://s.click…
For this tracking code consider https: anywhere rewrite: https://www.eff.org/https-everywhere/atlas/domains/clicktale.com.html
Included scripts:
Suspect - please check list for unknown includes
Suspicious Script:
-skype.com///nexus.ensighten.com/skype/bootstrap.js
document.write(unescape(“%3cscript%20src='” + (document.location.protocol == ‘https:’ ? ‘htxps://clicktalecdn.sslcs.cdngc.net/www/’ : 'http
404 error check:
Suspicious 404 Page:
document.write(unescape(“%3cscript%20src='” + (document.location.protocol == ‘https:’ ? 'htxps://clicktalecdn.sslcs.cdn
Decided to do a tracker tracker report on site. Do not open links from attached report in a browser.
polonus
Pondus
2
First submission 2015-01-28 11:56:55 UTC ( 1 month, 2 weeks ago )
Copyright(c) Skype Technologies S.A.
Publisher Skype Software Sarl
Product Skype
Original name SkypeSetup.exe
Internal name SkypeSetup.exe
File version 7.1.0.105
Description Skype
Signature verification Signed file, verified signature
Signing date 3:09 PM 1/23/2015
Signers
[+] Skype Software Sarl
[+] Microsoft Code Signing PCA
[+] Microsoft Root Certificate Authority
Counter signers
[+] Microsoft Time-Stamp Service
[+] Microsoft Time-Stamp PCA
[+] Microsoft Root Certificate Authority
OK, Pondus, agree that skype software there is completely above board, certified and verified.
Problems come with the https://anywhere rewrite of 'htxps://clicktalecdn.sslcs.cdngc.net/www
→ https://www.eff.org/https-everywhere/atlas/domains/clicktale.com.html
Seems to be OK here: https://www.sslshopper.com/ssl-checker.html#hostname=https://clicktalecdn.sslcs.cdngc.net
See also: http://www.dnsinspect.com/clicktalecdn.sslcs.cdngc.net/1426256441
It is blocked by HTTP Switchboard for me in Google Chrome and also by WOT.
Listed here: 03/03/2015 hpHosts Used for advert or tracking purposes.
polonus
Update: It is not only Skype that uses the nexus ensighten tag delivery bootstrap script, it is alos Lebara.
See: -http://ie.lebara.nl/ & http://toolbar.netcraft.com/site_report?url=http://ie.lebara.nl
Re: https://www.robtex.net/#!dns=www.lebara.nl
Excessive Server header info proliferation: http-server-header: Apache/2.2.3 (Red Hat)
Potentially risky methods: TRACE. -http://eua3300037-vip-www.lebara-mobile.nl.eu.verio.net/
→ http://toolbar.netcraft.com/site_report?url=http://eua3300037-vip-www.lebara-mobile.nl.eu.verio.net
scriptAlias /phppath/ “/usr/bin/” vulnerable. Warning on that script: http://www.google.com/safebrowsing/diagnostic?site=nexus.ensighten.com Domain badness history: https://www.virustotal.com/nl/domain/nexus.ensighten.com/information/
Analyse: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.lebara.com%2Fnl%2Fnl
Good adblockers and uMatrix will block -nexus.ensighten.com and the web rep of that adware tracking domain:
https://www.mywot.com/en/scorecard/nexus.ensighten.com
The kind of tracking or phishing rather that is being performed through this script depends very much of the client.
So in this case it is always ensighten in relation to lebara or skype or whatever.
In this case see here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fnexus.ensighten.com%2Flebara%2FBootstrap.js
Cross Platform Initialization of Robot Localization and Mapping via Beacons (with errors?).
polonus (volunteer website security analyst and website error-hunter)