sweet-bonanza-demo.gr: badware

[ghost]

Prerequisites

• [X] This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• [X] I read and understand the policy about what is a valid filter issue.
• [X] I verified that this issue is not a duplicate. (Search here to find out.)
• [X] I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• [X] I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• [X] I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• [X] I am not using uBlock Origin along with other content blockers.
• [X] I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• [X] I have verified that other extensions are not causing the issue.
• [X] If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
• [ ] I did not answer truthfully to ALL the above checkboxes.

URL(s) where the issue occurs.

sweet-bonanza-demo.gr
hfr67jhqrw8.com
tbao684tryo.com
5wzgtq8dpk.com
65spy7rgcu.com

Description

There is an ongoing scam in Greece, mostly on Facebook, involving video deepfakes of popular journalists advertising a fraudulent app, similar to the Tesla scams. While I couldn't find all the websites involved, I did discover this link that contains numerous instances of malware and phishing buttons. I have listed a few URL examples above, but there are many more malicious and phishing domains accessible through this link: sweet-bonanza-demo.gr. I recommend blocking this URL to prevent users from accessing it and catching malware or becoming victims to phishing or worse.

Other extensions used

none

Screenshot(s)

Screenshot(s)

Configuration

Details

```yaml ```

[JobcenterTycoon]

Ok i get this redirect chain

https://sweet-bonanza-demo.gr/go/wazamba
https://trust22.eu/sweetbonanzagr?offer=spinanga
https://spng.servclick1move.com/?mid=70521_1234781&subid=2d4sbqtk13o
https://65spy7rgcu.com/gr/registration?mid=70521_1234781&fluid=561e43a9-8ae1-4019-b31f-d4df2ba4a825&subid=2d4sbqtk13o

Last domain is unstable trust22.eu and servclick1move.com is stable

I get casino ads but no malware or phishing.

[ghost]

I retested it and didn't encounter the malicious links this time. However, when I retested on another device and on another network, I confirmed that the malicious webpages were present again. VirusTotal is also showing positive for the malicious webpages that open. I will retest and some attach screenshots, if that helps. Nonetheless, the website seems very suspicious.

[ghost]

Okay, I retested the websites in a VM, and the same malicious links opened up again. The fake links try to resemble real casino websites but are completely unrelated, as far as I can tell.

[ghajini]

how to reproduce?what is the initial link?

[ghost]

When you go to sweet-bonanza-demo.gr, click on any of the green buttons below.

[ghajini]

fixable in greek list @kargig https://github.com/kargig/greek-adblockplus-filter

malicious domains can be added in badware list

[ghajini]

sweet-bonanza-demo.gr##.maskbut for greek list

[JobcenterTycoon]

@pgl https://github.com/uBlockOrigin/uAssets/issues/24043#issuecomment-2160640121 2 clickthrough tracker

[pgl]

@pgl #24043 (comment) 2 clickthrough tracker

Thanks, added servclick1move.com to my list.