search

OWASP / igoat

OWASP iGoat - A Learning Tool for iOS App Pentesting and Security by Swaroop Yermalkar
https://igoatapp.com/
GNU General Public License v3.0
421 stars 102 forks source link

igoatapp.com is redirecting to scam sites #59

Closed ghost closed 3 years ago

ghost commented 3 years ago

I followed the link from this project to https://igoatapp.com/ where I scrolled down to the Download iGoat section and clicked on SWIFT VERSION. The mouse cursor did not change to a hand as usual. When I clicked a new browser tab opened with the following scam URL trying to convince me to launch some fake update. "https" has been replaced with "hxxps" so nobody clicks it by mistake.

hxxps://interfrogs.com/11/click/1/?source=3398217&csum=hNjjFae2TcG3E9vWM1KDKBiIiUzFrtfe-hwsKwTaBaI5ZkXldVrSN-4lYotsF1yxhsXavSIvTYzzsqMCDy15Tw%2C%2C&_subid=3qnkfg41cnbq1vlgti3m&_token=uuid_3qnkfg41cnbq1vlgti3m_3qnkfg41cnbq1vlgti3m600ebc5287a4e5.22325693

I could not reproduce this. I suspected cookies to be used to deliver the page only once so I opened https://igoatapp.com/ in a Firefox private window but the update page didn't show up.

The interfrogs link above cycles through different scams. When visited once more I got a "win an iPhone" scam instead.

Please review the site. Maybe some of the self-hosted minified JavaScript libraries are infected?

ghost commented 3 years ago

I think it was this URL which redirected me to the interfrogs link by the way:

hxxp://lauhoosh.net/afu.php?zoneid=3663521&_subid=3qnkfg41cnbrqamqcua9&_token=uuid_3qnkfg41cnbrqamqcua9_3qnkfg41cnbrqamqcua9600ec3e2566b09.88367307

jra89 commented 3 years ago

I can confirm that something is phishy. I got redirected a few times and it seems something is hijacking the clicks on the site (see clickjacking).

Virustotal is mostly clean apart from one detection for one of the pages that I landed on

https://www.virustotal.com/gui/url/eaa93577bdbd7ac462591204ee7d4e9748fee4657351b5ba99cac9764095a07b/detection

Screenshot from 2021-01-25 14-27-26

Screenshot from 2021-01-25 14-32-05

Screenshot from 2021-01-25 14-32-17

ghost commented 3 years ago

Could it be adware via https://www.counter12.com/ad.js?id=zz69w3Z9B6aDxCdA ? My colleague Jinny just reproduced it (once). Sometimes the DOM is extended with an <iframe id="iAD_FLOAD">. The src attribute was hxxps://bit.ly/33av5Zh for her which redirects to hxxps://meuip.page/ads5.php. Click anywhere on that empty page and a new tab is launched with a scam.

ghost commented 3 years ago

Accorting to VirusTotal, "Comodo Valkyrie Verdict" is detecting the Bitly link as "malware": https://www.virustotal.com/gui/url/1b26b890d6b471c1b9c2d744efc2b95280a632a1c6012e688f3fc71bf7f7c34f/detection

ghost commented 3 years ago

From the terms of service of https://www.counter12.com/:

www.counter12.com can show display advertising from partners in banner, popunder and other formats.

If they are the culprit here, this is definitely "other formats". ;-)

swaroopsy commented 3 years ago

Hi @LabanSkollerDefensify @jra89 thanks for notifying this! For time being, I have removed the counter12 from the website. Let me know if you still notice it ;)

ghost commented 3 years ago

Thanks! I can't reproduce it anymore but it was hard from start for me.