I was browsing finnkino.fi (offical website for Finnkino, a finnish film distributor and the biggest cinema chain in Finland), but when browsing pages of different movie scheludes, I noticed that the site was occasionally trying to connect to a domain “statistik-gallup.net”, which doesn’t appear in list of blockable emelents in neither Adblock or Noscript. I did some Googling and this domain seems to be hosted on different finnish newspaper/video game sites etc. and some have claimed it possibly to be connected to spying and/or phishing, though these search results were dated to over 6 years back.

Here are some VT results:

https://www.virustotal.com/fi/url/cbd85efc436d83fdd28587bd6d148c8711d37575b60b1134511ad6f1571e8e92/analysis/1477752992/

https://www.virustotal.com/fi/ip-address/84.39.235.148/information/

Sucuri gives “unable to connect” and Quttera tells the site is “unreachable”.

Definitely there are issues with that server, trace error, runtime error and 404 file of directory not found: Custom errors:fail, excessive headers warning and a clickjacking warning: https://asafaweb.com/Scan?Url=www.finnkino.fi

hxtp://www.finnkino.fi
Detected libraries:
jquery - 1.5.1 : (active1) htxp://www.finnkino.fi/scripts/all.js
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
jquery-ui-dialog - 1.8.2 : (active1) -http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.2/jquery-ui.min.js?=1477757496870
jquery-ui-autocomplete - 1.8.2 : -http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.2/jquery-ui.min.js?=1477757496870
(active) - the library was also found to be active by running code
1 vulnerable library detected

Quttera scan is fine. Sucuri’s also.
302 redirect here: http://www.webserverinfo.com/domain/185.22.132.226/ → http://www.dnspoo.com/a/finnkino.fi

See: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.finnkino.fi&useragent=Fetch+useragent&accept_encoding=

The scan has detected some potential problems in these files. First scroll down through the code listed out after the list of links, this is the code returned by the request for the URL you entered and check for any problems. Next, these link(s) will open the individual URL(s) in this tool, check through the code that is returned, compare the code being returned to a know clean copy, etc.

1 → /scripts/all.js
2 → /scripts/all.js

The scan has detected some POTENTIAL problems in these external files. First scroll down through the code listed out after the list of links, this is the code returned by the request for the URL you entered and check for any problems. Next, these link(s) will open the individual URL(s) in this tool, check through the code that is returned, compare the code being returned to a know clean copy, etc.

1 → addthisevent.com/libs/1.6.0/ate.min.js

So there are potential problems with that server that should be fixed, mitigated!

polonus (volunteer website security analyst and website error-hunter)

P.S. My personal bet is trouble with “all.js” invalid app, so “id Facebook login api” may not be working!

Thanks for the info, polonus. Did you find anything about specifically about that domain I mentioned?

That domain seems a deleted previously owned domain.
It was here last seen in Cork in 2012: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fstatistik-gallup.net%2F
Here we have it in the HTTPS Everywhere Atlas with the rules: https://www.eff.org/https-everywhere/atlas/domains/statistik-gallup.net.html
Seems registered here: https://whois.domaintools.com/statistik-gallup.net
Hosted on a dedicated Bluemetrix server 84.39.235.148, but that host seems down now.
Maximum execution time of 15 seconds exceeded!
Nameserver tested for Usage: /var/www/pentest-tools/tools/ssl_drown/drown.py target service_list
It has been prevented from loading for me by uMatrix.

pol

Thank you I’ve contacted finnkino’s customer service about that domain loading issue and it their website management team is said to be on the case.

I was still having statistik-gallup.net loading for quite a while when I was browsing finnkino.fi and I sent them another message asking what the domain was for, and they responded it being owned by TNS Gallup, finland’s leading market research company that follows visitor traffic on every markedable finnish media websites, and it seems to indeed be a legit company with offical cooperation with Finnkino.

Hi Pernaman,

Some added views.

Then the code is legit and OK on their part. If you do not feel comfy with the tracking feel free to block it via ajax dot googleapis dot com & fonts dot gstatic dot com & facebook tracker & google analytics tracker.
Avast flags Web Analysis 2 and Social Media 1.

I meet a custom errors:Fail and two warnings here:
https://asafaweb.com/Scan?Url=www.finnkino.fi

Room for some security improvements and best practices handling here:
https://observatory.mozilla.org/analyze.html?host=www.finnkino.fi

Certiciate chain properly installed - Certificate chain
Go Daddy Root Certificate Authority - G2Intermediate certificate (2)
*.finnkino.fiTested certificate intermediate I status:
https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=28604

Non-compliant with best practices in various respects: https://www.htbridge.com/ssl/?id=beb922c5b770e0318f58df4c7b592b7fae50ef0c3203dcbee330ad4134ab6950

So verdict not under par, but absolutely not ‘top of the bill’ and an end-user certainly would like to see some more expertise and competence. Apply that what you can get away with, whenever you are a monopolist player
you could feel free to do so.

That being said I am not very impressed at their security standards,
but that’s me speaking personally and independantly and as a volunteer,
I just value the scan results and let these results speak out.

polonus (volunteer website security analyst and website error-hunter)