Is this site safe to access (scan showing 3 hidden Iframe)

system · 2015-08-08T16:56:07.000Z

I was searching for android game, then when I click on a link in yahoo search, I got a redirect to unknown site (htxp://s.click.aliexpress.com/e/yzyune6b/).

The link is htxp://play.hotandroidgames.com
Scan showing 3 different hidden Iframe: http://killmalware.com/play.hotandroidgames.com/
Not blacklisted: https://www.virustotal.com/zh-tw/url/1fb99d5e66662c0e628985e86bb7e87713d52d8f05f7d22b2e7720b459c88404/analysis/1439052601/
Iframe also detected here? http://quttera.com/detailed_report/play.hotandroidgames.com

polonus · 2015-08-08T17:40:28.000Z

Hi rickyyeung,

Again as always an interesting issue you come up with. I went over the code and found the following at a first glance skimming over this.
The redirect is for an unknown site, well it belongs to the richest man in China actually, the guy that owns AliBaba aka aliexpress dot com . uMatrix has blocked the tracking there from htxp://dmtracking2.alibaba.com.

For website server insecurities, see here: https://asafaweb.com/Scan?Url=s.click.aliexpress.com%2Fe%2Fyzyune6b

App from: android-app://com.alibaba.aliexpresshd/aliexpress/deeplink/home/www/en
while Quixey search made a deal with AliBaba to better reach out to 100 million Chinese users.

Of course there should be a link to Akamai and well it is here: http://toolbar.netcraft.com/site_report?url=
-http://style.aliunicorn.com We see this background task running from that code: http://www.backgroundtask.eu/Systeemtaken/taakinfo/706474/atom-ws.js/ (no risk there)

For htxp://js/6v/lib/gallery/jquery/jquery.js%22&&/%5Ehttps?://[^/]+.alibaba.com//.test(location.href)===!1&&(e.exports.securityDebug=!0)}),delete%20seajs._atom - this could be leading to a Pua.Lolipop infection, normally detected by Avast as Win32:PUP-gen [PUP]. So adware for you there! Did you get an Avast PUP warning or do you not have PUP scanning activated, as it is off by default.

For your iFrame question, here is an answer: https://www.mywot.com/en/scorecard/click.aliexpress.com?utm_source=addon&utm_content=contextmenu - Affiliate marketing to aliexpress. Nothing bad here. If there is a bad product of a bad popup on one site, it is not the fault of this site, but of the owner of the affiliate site. That is true, but they seem to be spamming: http://www.ohow.co/stop-s-click-aliexpress-com-referrer-spam/

polonus (volunteer website security analyst and website error-hunter)

DavidR · 2015-08-08T17:59:44.000Z

With Firefox, I use Yahoo search in preference to Google, clicking on search links often end up going through two or more URLs to get to the intended URL.

Often these are going through affiliates and click tracking, etc. to get monetary gain. The main thing here with Firefox all of these redirections stop awaiting my input at any point the user can close the tab if they don’t want to proceed. But in most cases I let it go through.

Also with firefox if it is a bad site it should block it (safe browsing), I also use WOT and that also can block access to a bad site.

Pondus · 2015-08-08T19:20:17.000Z

Killmalware http://killmalware.com/s.click.aliexpress.com/e/yzyune6b/
html scan https://www.virustotal.com/en/file/2fd4e905f3b0b2715bf95ade30953f278158c87ee927020960da095d2c0e0dc5/analysis/1439061385/

Killmalware http://killmalware.com/play.hotandroidgames.com/
html scan https://www.virustotal.com/en/file/9c4ac4beac16fab5247eec110b70ebaa7a13c1df91026001dee5137e360cdbc6/analysis/1439061019/

polonus · 2015-08-08T19:39:54.000Z

This pattern certainly is suspicious as killmalware results show: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fplay.hotandroidgames.com%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F.ru%2F
See inside the code: -http://1900522681.rsc.cdn77.org/_/css/screen.css?v=3.9 → http://toolbar.netcraft.com/site_report?url=http://1900522681.rsc.cdn77.org iFrame re-directing here: -http://www.zazzle.com/gifts
code redirect does not resolve: -http://www.zazzle.com/AnyStoreName?rf=238206289485418287 via 3 redirect landing here

 htxp://track.www.zazzle.com/b/ss/zazzlecom/1/G.5--NS/pp7602167pp?ns=zazzle&ce=UTF-8&cc=USD&cdp=3&pageName=Sem%3Adecsearch%3A16305%3AGifts&server=www.zazzle.com&events=event1&c1=%27%27&c10=0-50ms&c13=1&c14=popularity&c27=81.69.181.197&c33=0&c36=2599141&c57=grid&c67=zazzle%2Caif%2Ccasemate%2Cavery&v1=%27%27&v13=1&v14=popularity&v17=web&v30=responsivesite&v43=not_logged_in%3AG&v49=0&v52=%23100%3AUploadYourImageVariant%23&v53=%23100%3AUploadYourImageVariant%23&v56=2599141&v66=grid&v69=master.f9d892267c4151042e644e4d6c4ce0f056eab0d9&v70=False&g=http%3a%2f%2fwww.zazzle.com%2fgifts&r=http%3a%2f%2fwww.zazzle.com%2fanystorename%2bgifts"

and landing here: -http://la.cdnmob.org/ which is blocked by Bitdefender TrafficLight → https://www.virustotal.com/nl/domain/la.cdnmob.org/information/

polonus

system · 2015-08-15T12:33:32.000Z

Now I found not only the hidden Iframe redirect in htxp://play.hotandroidgames.com,but there is also the following phishing content as shown in this urlquery scan:
http://urlquery.net/report.php?id=1439641361693

Added / Verified: 2015-08-15
Severity: 2
Host: hxxp://sales.1moretoy.com/goto_ali.php?key=3
Comment: Phishing

polonus · 2015-08-15T16:35:32.000Z

Not much code on host

 <html><head><META NAME='ROBOTS' CONTENT='NOINDEX, NOFOLLOW'></head><body><form action='/goto_ali.php' method='post' id='form1'><input type='hidden' name='key' value='3' /></form><script language='javascript'>[i]document.getElementById('form1').[/i]submit();</script></body></html>

Netcraft blocks: This page has been blocked by the Netcraft Extension for the following reason:

Suspected Phishing

Blocked URL: -http://sales.1moretoy.com/goto_ali.php?key=3 = AliDatatableBundle.php
→ https://github.com/AliHichem/AliDatatableBundle

<?php
namespace Ali\DatatableBundle;
use Symfony\Component\HttpKernel\Bundle\Bundle;
class AliDatatableBundle extends Bundle
{
}

polonus

Announcements