I clicked on a scam site, am i at a risk?

Today when i just woke up i checked my email and in my inbox, i saw an email from Apple en-us noticing that someone tried to log in into my apple account from France and that i have to verify my apple account so it won’t be locked, for some reason i was not as my usual careful side so i just clicked on the link inside that message and it brings me to an unknown site hxxps://d.pr/jf6uiQ which when it opened, it says 404 error Page not found and i noticed right away that this was a scam so i closed the page right away, when i look who the sender is of course it is just random username.

So what happened was i just clicked on the link, it brings me to a random site, the page didn’t load and instead goes to 404 page not found and i closed it right away. i didn’t enter any of my information. Am i at risk of sharing my valuable information to that site? is it safe to login into future legit and safe sites after that happened? thank you

for information, i use latest version of windows 10, mozilla firefox browser and avast free antivirus software, both updated to the latest version.

Hi kvin,

Please change the https to hxxps, we don’t want people accidentally clicking on the link. Just because it says 404 Not Found, doesn’t mean it hasn’t done anything.

Redirects to >> hxxps://sauronproject.eu/css/kontol.php

Information on the redirect here >> https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Iy5wfWBqZjZ1W1E%3D~enc

I thought maybe kontol was a foreign language (it is!). It means “d**k” in Indonesian, how nice of them. PHP means server side scripts are running.

Your initial link Information.

Blacklist >> https://www.virustotal.com/gui/url/465eb8e6939e2dd96ccd3325e38ed6153ffd25eac51ec938bfb4e9e7a060d339/detection
(404/Clean) >> https://checkphish.ai/insights/url/1572699952726/465eb8e6939e2dd96ccd3325e38ed6153ffd25eac51ec938bfb4e9e7a060d339
Malicious >> https://urlscan.io/result/38b963cc-39b7-47e6-95ad-2047f736779e
Blacklisted >> https://sitecheck.sucuri.net/results/https/d.pr/jf6uiQ
Zulu says “clean”, but imo, the SSL certs mean nothing. Amazon AWS services can be abused as well. >> https://zulu.zscaler.com/submission/65d66509-2e64-4d33-a31e-8ed68cfd3727

*I would actually classify Zulu as “Suspicious”.

The redirect >> https://checkphish.ai/insights/url/1572700393410/56d790352bd40476b2463c31600ae07a14773ef138958b8522579ed994ff4b6a

I scanned the EU website with nmap, which pulled a lot of interesting information.

Port 80, 443 and 8080 are reasonably normal to see HTTP(=-S) on.

nmap also revealed a MySQL DB running on port 3306 - v5.5.55

This isn’t a very secure website, by the way. RCE will give me ability to run commands, and then I can priv esc to root (bad, very bad)

https://www.exploit-db.com/exploits/23073 https://www.exploit-db.com/exploits/40679

I also didn’t expect to find backup files…

8008/tcp open http

| fingerprint-strings:

| FourOhFourRequest:

| HTTP/1.1 302 Found

| Location: https://:8010/nice%20ports%2C/Tri%6Eity.txt%2ebak

| Connection: close

| X-Frame-Options: SAMEORIGIN

| X-XSS-Protection: 1; mode=block

| X-Content-Type-Options: nosniff

| Content-Security-Policy: frame-ancestors

| GenericLines, HTTPOptions, RTSPRequest, SIPOptions:

| HTTP/1.1 302 Found

| Location: https://:8010

| Connection: close

| X-Frame-Options: SAMEORIGIN

| X-XSS-Protection: 1; mode=block

| X-Content-Type-Options: nosniff

| Content-Security-Policy: frame-ancestors

| GetRequest:

| HTTP/1.1 302 Found

| Location: https://:8010/

| Connection: close

| X-Frame-Options: SAMEORIGIN

| X-XSS-Protection: 1; mode=block

| X-Content-Type-Options: nosniff

|_ Content-Security-Policy: frame-ancestors

| http-methods:

|_ Supported Methods: GET HEAD POST OPTIONS

|_http-title: Did not follow redirect to https://sauronproject.eu:8010/

I tried grabbing it - FortiGuard got pissed off with me - and I can’t override FortiGuard given my current location (I have no access to this firewall on campus.).

(Note: Anything that says “Web Filter Block Override” means it got blocked by my firewall.)

I would say, yes. It’s malicious. Whether it got anything onto your system is a different story. I would recommend running these scans found here >> https://forum.avast.com/index.php?topic=194892.0

OK, I abused my data on an LTE connection for a minute. Website is refusing connection on 8008 and 8010. It’s odd that it’s public facing though.

LOL - https://sauronproject.eu/

SAURON project addresses the topic CIP-01-2016-2017: Prevention, detection, response and mitigation of the combination of physical and cyber threats to the critical infrastructure of Europe and put the focus on protection of EU Ports under Transport Infrastructure and means of transportation type of CI.

SAURON proposes to ensure an adequate level of protection and resilience against physical, cyber and a combined threat for the EU ports and limiting, as far as possible, the detrimental effects for the society and citizens of a declared attack.

The vision of SAURON is to provide a multidimensional yet installation-specific Situational Awareness (SA) platform to help port operators anticipate and withstand potential cyber, physical or combined threats to their freight and cargo business and to the safety of their employees, visitors, passengers and citizens in the vicinity. This will be achieved by accomplishing the following operational objectives:

O1. To analyse the ports current vulnerabilities and risks: SAURON will use the results of previous dedicated projects (e.g. CYSM, MEDUSA, MITIGATE) which analysed the EU ports real physical and cyber vulnerabilities and risks in order to assess and adapt their results to the ports current protection systems
O2. To produce a multidimensional and scalable SA platform: To develop (to TRL7) and test a multidimensional and scalable SA platform easily deployable for EU ports comprising a Physical Situation Awareness (PSA) application, a Cyber Situation Awareness (CSA) application and a Hybrid Situation Awareness (HSA) application in order to prevent, detect, respond and mitigate any physical, cyber or combined threat.
O3. To fuse the physical environment, including external events and the cyberspace in order to achieve a hybrid operation theatre capable of detecting potential cascading effects for helping the decision makers to prevent, understand and face any kind of potential threat.
O4. To develop and integrate innovative population warning techniques for informing and protecting both, the inhabitants in the vicinity of the ports and the emergency teams in charge of intervening in case of attack
O5. To validate the project results in a cost effective way under real conditions through 2 pilot demonstrations in real EU ports (Valencia Port and Piraeus Port).
O6. To ensure compliance with legal and ethical principles and requirements, identify lacunae and hurdles and develop concrete recommendations to policy makers and pertinent stakeholders with the aim to ameliorate the current level of protection in the EU ports.

LOL. Seriously?! This is fucking hilarious. Hold up one minute. I’m fetching polonus. This is amazing!

thank you for the reply, and sorry for the link. i’ve just edited it.

and i honestly don’t understand all of that but thank you for the heads up, hope it was nothing serious. did you also got to a 404 page error not found page when clicking the link i provided? or is it my internet blocking it or something?

i am running the malwarebyte scan right now and will let you know if any threat if detected!

Hi Michael (alan 1998),

Thank you very much for the heads-up on this.
Maybe avast team can do something with the following information :wink: ;D

To give a predictable scheme as to the creation of such obfuscated malware campaign domains,
see the scheme here: http://www.test.cocon.se/8/2/18/7/4/1/5/3/11/6/16/19/9/12/15/13/20/10/

That is how these malcreants operate their devious schemes.
Interesting to know to take it down faster than they can create it.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

It is “404 not found” yes, but they redirect you to other domains. That’s where my concern is.

And are malicious, see detections on IP relations:
https://www.virustotal.com/gui/ip-address/34.215.95.247/relations
7 to detect Phishing here: https://www.virustotal.com/gui/url/945f44b80274e02c1c7263341c27637bb217f8190a02f37ed96869654173031f/detection

for the redirect from the domain you mention: https://pshack.org/threads/81786/
Is dangerous as even the Sucuri scan for the redirect address was blocked:

Block details: Your IP: my IP address URL: sitecheck.sucuri.net/results/https://sauronproject.eu/css/kontol.php Your Browser: bla-di-bla-di bla Block ID: BAK024 Block reason: Access to a backdoor or suspected location was denied. Time: 2019-11-02 12:49:22 Server ID: 19007

So when even the queries to it get blocked, it is more than a scam, it is dangerous.
No two ways about it.

Also consider: https://www.cyberscan.io/domains/sauronproject.eu

polonus

alright, i just finished my malwarebyte scans after enabling the root kit scan and they found no threat on my computer, i scanned it twice just to be sure and still 0 threat.

does this mean i just avoided something dangerous? what do i have to do after this? is my system now safe to for example login to my bank or social media account using my computer?

Hi kvintanzil,

You probably were saved by the bell of that redirectioning being blacklisted.
A predictable malcreant is not a very clever one, to say the least.
They get caught or their evil schemes do not come to fruitition.

When one has lost the lid on a specific malicious scheme, it won’t stay a threat for the aware for long.
You can however still endanger the unaware and the unprotected.

So a good thing not all malcreants are that brilliant, on the other hand one that protects has to reckon with all sorts of threats,
and those that infect just need one tiny little hole to worm their “coded-misfortune” through :wink:
It often mirrors a cat and mouse game.

And again when something seems to good to be true it often is.

polonus

thank you kind sir, have a good day.