gov.br: badware

[YoshiTabletopGamer]

Prerequisites

• [X] This is not a support issue or a question. For support, questions, or help, visit /r/uBlockOrigin.
• [X] I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
• [X] I am running the latest version of uBlock Origin (uBO).

I tried to reproduce the issue when...

• [X] uBO is the only extension.
• [X] uBO uses default lists and settings.
• [X] using a new, unmodified browser profile.

Description

On top of many Google search results in Brazil, users encounter scammy pages on Brazilian government websites

From https://www.gov.br/ctir/pt-br/assuntos/alertas-e-recomendacoes/alertas/2023/alerta-10-2023 (Portuguese, English translation below)

The continuous monitoring process carried out by the Center for the Prevention, Treatment and Response to Government Cyber Incidents (CTIR Gov) has identified a significant increase in cases of site abuse characterized by "Open Redirect", which are cyber attacks in which users, when searching for sites, particularly government environments, are redirected to incompatible pages, including gambling, casino and malware propagation sites. This malicious activity results in the deterioration of the affected organization's reputation, the inappropriate use of data infrastructure resources and, of course, compromised security.

A search of "bet site:gov.br" finds hundreds of scammy pages on compromised government websites. The pages also seems to detect the www.google.com referer, to avoid investigation from entering by a direct link.

Because government websites are ranked higher by Google on searches, these spam pages have been appearing on normal searches.

URL(s) where the issue occurs.

https://central156.osasco.sp.gov.br/video/video_1640.html
https://www.camarauchoa.sp.gov.br/video/1011z.html
https://www.cmpa.mg.gov.br/app/4EeAbgy1010.shtml
https://www.ssp.sp.gov.br/ead/cache/video/video_1009.html
https://cruzeiro.rs.gov.br/uploads/tinymce/files/files/Nova/video_1781.html
https://www.ssp.sp.gov.br/ead/cache/video/video_1175.html
https://cruzeiro.rs.gov.br/uploads/tinymce/files/files/Nova/video_1756.html
https://central156.osasco.sp.gov.br/video/video_1828.html
https://www.crasp.gov.br/poker1010OTNcdfJlpg.html
https://cruzeiro.rs.gov.br/uploads/tinymce/files/files/Nova/video_1842.html
https://cruzeiro.rs.gov.br/uploads/tinymce/files/files/Nova/video_1704.html
https://www.paranhos.ms.gov.br/soft/sv65d.html
https://central156.osasco.sp.gov.br/video/video_1626.html
http://7r51g.bugre.mg.gov.br/qfb74.html
https://www.ssp.sp.gov.br/ead/cache/video/video_2400.html
https://www.riogrande.rs.gov.br/corona/?app=like-moths-to-flames---bury-your-pain.shtml
https://www.paranhos.ms.gov.br/wz/zk84q.html
https://www.pim.saude.rs.gov.br/site/?video=www%20betfair.shtml
https://central156.osasco.sp.gov.br/video/video_1678.html
https://www.paranhos.ms.gov.br/ios/pkohr.html
https://www.ssp.sp.gov.br/ead/cache/video/video_2145.html
https://diamantedonorte.pr.gov.br/slot/addressrjz-xtipv9qew.html
https://www.paranhos.ms.gov.br/cpx/bd9kp.html
https://www.paranhos.ms.gov.br/soft/7779g.html

And so on

Screenshot(s)

https://github.com/uBlockOrigin/uAssets/assets/88633614/3f2b54ea-3a4f-45e9-bfe7-2acc9cf23b62

uBO version

N/A

Browser name and version

N/A

Settings

N/A

Notes

No response

[Yuki2718]

Blocking them all will be impossible, given this is open redirect issue and the domain themselves are legitimate. Will try my best. Please report missed cases or false positive.

[YoshiTabletopGamer]

||www.ssp.sp.gov.br/ead/report/video/video_$doc
||www.ssp.sp.gov.br/ead/auth/video/video_$doc

[YoshiTabletopGamer]

||br.zmdesf.cn/br.js, also reported by a tech website in Portuguese ("Wave of attacks directs users from government websites to gambling sites") the following

||googleseo.life/1.js
||js.eventbr.xyz/vip/crazy.js

[YoshiTabletopGamer]

||a5jogo.club

[YoshiTabletopGamer]

||v37870.com^ found here https://fccr.sp.gov.br/pgslot/index.php?vk9iq.html

[YoshiTabletopGamer]

imbolexabc.top is already blocked with $all

[Yuki2718]

||v37870.com^ found here https://fccr.sp.gov.br/pgslot/index.php?vk9iq.html

I ignored those casino sites as was not sure if they're really malicious or not. Not looks to be super-legitimate ofc.

[YoshiTabletopGamer]

||v37870.com^ found here https://fccr.sp.gov.br/pgslot/index.php?vk9iq.html

I ignored those casino sites as was not sure if they're really malicious or not. Not looks to be super-legitimate ofc.

Sure

[YoshiTabletopGamer]

Also found in a Brazilian university's pages, by Google search site:sites.uft.edu.br/topama/news.php/ ||sites.uft.edu.br/topama/news.php$doc

[YoshiTabletopGamer]

Massive amount of pages found by Google search coe777 site:gov.br

[YoshiTabletopGamer]

coe777.com was registered last month

Domain:
coe777.com
Registrar:
Tucows Domains Inc.
Registered On:
2023-09-13

[YoshiTabletopGamer]

Found on https://www.pmf.sc.gov.br/arquivos/br.php?jx7ml.html

<script src="[https://www.w3counter.com/tracker.js?id=150084](https://www.w3counter.com/tracker.js?id=150084)"></script><script src="[http://br100.tuuudoo.com/js/dom.js](http://br100.tuuudoo.com/js/dom.js)"></script><script language='javascript' type='text/javascript'>function jumurl(){ window.location.href='https://v37870.com/?cid=232545&languageCode=pt&type=2&currency=BRL&aid=neo2';}setTimeout(jumurl,9);</script><body bgcolor="#024E46"><center> loading... </center> </body>

I suggest ||pmf.sc.gov.br/arquivos/br.php^

By the way, v37870.com was registered on 2023-08-30 (about a month ago). Should we block it?

[Yuki2718]

Should we block it?

Need more evidence or positive sympton of being mailicious. We have big influence on sites, so try to minimize the risk of incorrect blocking.

[YoshiTabletopGamer]

Should we block it?

Need more evidence or positive sympton of being mailicious. We have big influence on sites, so try to minimize the risk of incorrect blocking.

Sure. By the way, I asked you to block br.coe777.com. br.coe777.com/Q3BDzp redirects to slotwin.top. They don't look legit obv, but did you find something on the br.coe777.com domain other than another suspicious gambling site?

AFAIK, I haven't yet found a webpage on br.coe777.com, this domain justs redirects.

[Yuki2718]

Same, br.coe777.com exists probably only for redirect so worth blocking.

[YoshiTabletopGamer]

See Google search of site:camaravni.es.gov.br/assets. No results found before 2023.

[YoshiTabletopGamer]

Found at https://www.fadesc.com.br/_dados.php?indexing84089512 (use Google referer) I suggest ||0708880.com^$all @Yuki2718

[Yuki2718]

I'll start from ||070880.com/br.js until someone find other use of the domain.

[D4niloMR]

@Yuki2718 these redirect domains in badware can be fully blocked with the root domain and with $all. These won't ever be used by legit sites.

Visit https://www.picos.pi.leg.br/26733697.html with Google referer, redirect occurs because 070880.com is not fully blocked.

I think we should block such shady scam bet sites with at least $doc, it's the most effective way, they are not even indexed. I have found some of them in ggwin.tv - https://ggwin.tv/static/js/flexible.lmin.1.9.js

https://89a.com/
https://9k888.vip/
https://9k777.vip/

[Yuki2718]

I have found some of them in ggwin.tv - https://ggwin.tv/static/js/flexible.lmin.1.9.js

The script includes many such domain, but how user will be brought to them?

[D4niloMR]

The user just need to click on the infected pages in the search results. It's way more effective to block these scam bet sites, unless we filter all pages.

https://www.camarasantos.sp.gov.br/ios/2vfj5.shtml and a couple more uses inline script to redirect.

function jumurl(){ window.location.href='https://www.t89ll.com/';}setTimeout(jumurl,9);

https://css.imagebet.ph/css/video/tc.js

https://br.googleeplay.com/br.js

https://br.mingvip.com/br.js

[YoshiTabletopGamer]

Google search site:https://www.brejao.pe.gov.br/decretos/xml/. They all promote a product, no immediate redirect found

[D4niloMR]

They all redirect to https://www.videobet.ph/?cid=jhgb because of https://css.imagebet.ph/css/video/bootstrap.min.js for me.

Update info

`ggwin.tv site:gov.br` - `https://ww2.contagem.mg.gov.br/casino/?R3cvL1204.html` ```adb ||t89ll.com^$doc,popup ``` `https://transparencia.crmvmg.gov.br/news.php` ```adb ||transparencia.crmvmg.gov.br/news.php$doc ||brkbk.202226.net/jump/index.html$doc ``` `https://camaraquevedos.rs.gov.br/?android=20240109548907.ppt` ```adb ||kbkb.bet^$doc ``` `https://piacabucu.al.gov.br/?android=20240117258771.ppt` ```adb ||bet55h.com^$doc ```

[D4niloMR]

@Yuki2718 do you think that edu.br,gov.br##^responseheader(location) would be safe? Fixes most of those redirects on my end. However, it doesn't work with chromium based browsers.

---

Also, I have seen a script used on various gov.br sites like: https://www.google.com/url?sa=t&url=https://www.poxoreu.mt.gov.br/%3Fandroid%3D20240323betfair-%25C3%25A9-do-ronaldo.shtml

Script code

```js ( function (a, b, c) { if ( /(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(a) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0, 4)) ) { window.location = b; } else { window.location = c } } ) ( navigator.userAgent || navigator.vendor || window.opera, 'https://bit.ly/Ijogo_1', 'https://bit.ly/Playing_new_1' ); ```

[Yuki2718]

do you think that edu.br,gov.br##^responseheader(location) would be safe?

I worry breakage. FP on governmental sites will be critical.

[YoshiTabletopGamer]

Any result of Google search site:www.mtservidor.mt.gov.br/video/ bitly links redirect to either https://ijogobet.com/?SL-GG-BR-SEO or https://www.playing.io/?inviteCode=1000199, depending on user agent.

[Yuki2718]

@YoshiTabletopGamer I guess the sites themselves are not malicious?

[YoshiTabletopGamer]

@YoshiTabletopGamer I guess the sites themselves are not malicious?

These gov.br websites are legitimate, but have been hacked

[...] significant increase in cases of site abuse characterized by "Open Redirect", which are cyber attacks in which users, when searching for sites, particularly government environments, are redirected to incompatible pages, including gambling, casino and malware propagation sites. This malicious activity results in the deterioration of the affected organization's reputation, the inappropriate use of data infrastructure resources and, of course, compromised security.

As you said

[YoshiTabletopGamer]

playing.io doesn't look unlegitimate. The scammers (the ones who hack the gov.br websites) seem to be using affiliate links to profit

[YoshiTabletopGamer]

I think that, for each one of these cases:

• The gambling website are legitimate, and the ones who hack gov.br websites profit from affiliate links

or

• The gambling website is controlled by the hackers themselves

I think it's hard to know, even on a case by case basis. If these hacked pages redirect to some legitimate, mainstream gambling website, it (the gambling website) obviously shouldn't be blocked.