Websites that redirect?

Hey avast community how are you doing? Well anyways I came across 2 websites that could spell out bad news. hxxp://yootube.com (misspelled youtube sometimes leads to a fake tech support scammer), and hxxp://onlinefreegames101.com this one from what i can tell it first redirects you to yahoo search of results of online free games or something like that, if you go back to the URL again it redirects to something completely different. 8)

I just did a few URL checker scans of the websites
Yootube
https://www.virustotal.com/en/url/026a079109cf1a9740b8b7468787213f71872f7851a1dc5b973a868741743f4a/analysis/1463499665/ [ 3 / 67 ]
https://www.malwares.com/report/host?host=yootube.com [Malware URL history 1, but still redirects to scams]
https://urlquery.net/report.php?id=1463498683631 [screenshot it had will be provided here as attachment]

Onlinefreegames101
https://virustotal.com/en/url/a68a4ae0d7b706bb36d30772818062089a1e7dc9d14de8ab71784d1b1147d32f/analysis/1463499692/ [0/67]
https://urlquery.net/report.php?id=1463498685162 [in the screenshot it provides shows it redirects]
https://www.malwares.com/report/host?host=onlinefreegames101.com

Typo squatting (purchasing domain names that are easily mistyped of a known domain) has been going on for years. Many originally weren’t malicious, just hoping to make some money from the good name of the original.

Now more will be trying to make money of driveby attacks on your system and or possibly ransomeware, etc.

Some of tech support scammers if a user falls for it will try to change the user’s computer login password causing them to have to pay the fee to unlock it.

I ran Internet Explorer in Sandboxie and went to the yootube thing. I was using sandboxie to take extra protection, But i did get 2 screenshots from a website it redirected me to.

As you can from the screenshots blocking this URLs would probably be a good idea, Since there might be other avast users that has mistyped youtube from typing to fast and didn’t notice their error, and might have fell for it.

I blocked the 2 scammy sites that I have been redirected to:

hxxp://www.investing-secrets.co/lp-zulander-hack/?coc=242&subc=w2BQL3US09U7MVSSG2ILRNS8&paramc=victor-ump-vYMVzSwr&paramf=ZL%20-%20intl%20-%20domain%20-%20desktop
hxxp://usagreencardlottery.org/gcl/register-c.jsp?r=re-12-en_all_c&utm_source=re&utm_medium=12&utm_campaign=en_all_c

If you have more domains that you have been redirtected to (especially the tech support scams), please share them here :wink:

Hi HonzaZ,

At the culprit of this abuse (with yootube dot com) is New York’s Bodis, LLC domain parking Domain Gang.
Re: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fww90.yootube.com%2F
405 - HTTP verb used to access this page is not allowed. Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET,
and these imposters abuse google.ads.domains.Caf →
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fww90.yootube.com%2Fzm9yy2vtug
Ran this through a javascript unpacker and then got…
Create element script

script benign
[nothing detected] script
     info: [meta refresh] URL=127.0.0.1/legacy
     info: [decodingLevel=0] found JavaScript
     error: undefined variable ayG.search
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var ayG.search = 1;
          error: line:1: ....^
     info: [element] URL=www.google.com/adsense/domains/caf.js
     info: [1] no JavaScript
     file: 55670a953112306025dab63f5f459094f9187967: 2324 bytes
     file: efed098dae9c9d9f27c0d5231e3b0e46c7d8de8e: 105 bytes

A variable has not been assigned yet, this is also a major security risk with register_globals turned on,
what it causes is due to a very low level error.

My question is: “Isn’t Google interested to stop such adsense abuse in it’s tracks?”.
No, as it seems an adclick earned is still an adclick earned, whether it iscoming from an honest source
or one earned via a Blackhat imposter’s click. :o
Google, be good, remember!

Better someone came to sinkhole these New York clowns abusing the Chinese Infrastructure to earn from their Google clicks or better if Chinese authorities sinkholed them. Good Avast blocks such redirects.

polonus (volunteer website security analyst and website error-hunter)