Closed ghost closed 3 months ago
Ok i get this redirect chain
https://sweet-bonanza-demo.gr/go/wazamba
https://trust22.eu/sweetbonanzagr?offer=spinanga
https://spng.servclick1move.com/?mid=70521_1234781&subid=2d4sbqtk13o
https://65spy7rgcu.com/gr/registration?mid=70521_1234781&fluid=561e43a9-8ae1-4019-b31f-d4df2ba4a825&subid=2d4sbqtk13o
Last domain is unstable trust22.eu
and servclick1move.com
is stable
I get casino ads but no malware or phishing.
I retested it and didn't encounter the malicious links this time. However, when I retested on another device and on another network, I confirmed that the malicious webpages were present again. VirusTotal is also showing positive for the malicious webpages that open. I will retest and some attach screenshots, if that helps. Nonetheless, the website seems very suspicious.
Okay, I retested the websites in a VM, and the same malicious links opened up again. The fake links try to resemble real casino websites but are completely unrelated, as far as I can tell.
how to reproduce?what is the initial link?
When you go to sweet-bonanza-demo.gr
, click on any of the green buttons below.
fixable in greek list @kargig https://github.com/kargig/greek-adblockplus-filter
malicious domains can be added in badware list
sweet-bonanza-demo.gr##.maskbut
for greek list
@pgl https://github.com/uBlockOrigin/uAssets/issues/24043#issuecomment-2160640121 2 clickthrough tracker
@pgl #24043 (comment) 2 clickthrough tracker
Thanks, added servclick1move.com
to my list.
Prerequisites
URL(s) where the issue occurs.
Description
There is an ongoing scam in Greece, mostly on Facebook, involving video deepfakes of popular journalists advertising a fraudulent app, similar to the Tesla scams. While I couldn't find all the websites involved, I did discover this link that contains numerous instances of malware and phishing buttons. I have listed a few URL examples above, but there are many more malicious and phishing domains accessible through this link: sweet-bonanza-demo.gr. I recommend blocking this URL to prevent users from accessing it and catching malware or becoming victims to phishing or worse.
Other extensions used
none
Screenshot(s)
Screenshot(s)
Configuration
Details
```yaml ```