0

Recently was browsing and clicked on a link to the following address:

(In code blocks so you cant accidently click it)

http://paycheck-calculator.org/

Clicking on this quickly loaded 2-3 different sites before I closed the tab. Looking through the history, theres some strange urls it redirected to:

https://pc1.dntrax.com/tr?id=e9df99c1378f40ec7d84901dba2d021096c5e011.r&tk=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwdWIiOiI1MDVjNmI4MTcxMzIwNDAyNTc1YjFkNmUiLCJ0cyI6IjA0MDcxNTE2IiwiZCI6InBheWNoZWNrLWNhbGN1bGF0b3Iub3JnIn0._2CC_feJ3B4SpjbaOzX7wv5XvMhpW5eoAU8zVikW21s

and

http://defender.error.com-dxnxcsuhcz.in.net/1/index.html?a=JCD&os=Windows&browser=Chrome&isp=Comcast%20Ip%20Services%20l.l.c.&ip=MY IP HERE&r_src=56cfd578fa7ddb7749c3f499&r_src2=&r_src3=&r_src4=&r_src5=&vcid=1b24ec59-8032-43d0-91e1-3e17a4c5bd56&r_os=&r_browser=&dfn=(877)%20429-9679&dn=%2B18774299679&clickid=d50HCFQ8A1S23FURGFRNQK7K

as well as others like:

http://www.las-vegas-attractions.com/top-10-hotels-in-las-vegas

My question is, these redirects seem purposely malicious. Without clicking on any of the content in the urls that were loaded, could malware/virus or other malicious code infected my computer or browser session?

Environment: Win 7 64bit Chrome browser

I'm often very cautious on what I click on because of redirects like this, so I'd like to know if my cautiousness has any logical grounds.

Orbit
  • 101
  • 1
  • 1

2 Answers2

2

Existence if such redirects by itself does not mean malware in all cases, but it can be.

Very often you will find such redirects when ads gets served because ad-delivery is today usually a multi-step process with several parties involved. This is especially true with targeted ads and real-time ad-bidding networks. In such delivery chains each of the party needs to get some information about the referring party and about the original user to decide which ad to serve or which next part of the chain should take over. Because control from one party to the next party is handled through redirects these information will be encoded in the URL and that's why you'll see this long URL's with various encoded information.

The same kind of delivery chains are used with malware because here you also have the parties which provide the victims through ads or through hacked sites. And you have the parties which serve the well tested latest version of the exploit, sometimes as payed service (see also malware as a service). It is not always clear from looking at the chain if this is pure ad-delivery, pure malware-delivery or malware delivery triggered by ads (i.e. malvertisement).

While these are the main purposes for such redirect chains you will also find (usually shorter chains) for more pleasing use cases or for user tracking.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I'm familiar with ad-delivery sometimes redirecting because of legitimate ad services. Technically speaking, how would malware or other malicious code infect the machine from the browser? And how can you tell if a redirect like the ones I experienced are associated with malware and/or viruses? What concerns me is I cant seem to find any info on any of these urls. It was also strange that one of the urls contained a bit of info about my browsing session, (IP, browser, ISP, Operating system, etc..). – Orbit Apr 07 '16 at 16:22
  • @Oribit: see updated answer: there is no clear way to distinguish between (targeted) ad- and malware delivery or malware delivered through ads because the delivery mechanisms are very similar. And a characteristic of malvertisement is that the same ad place sometimes leads to malware and other times not, often depending on browser, source of request or similar. Thus just consider malware a special type of targeted ads or vice versa. – Steffen Ullrich Apr 07 '16 at 16:24
1

First of all, as @Steffen Ullrich suggests, a redirect is not automatically malicious, even if it is definitely possible. In particular, I analyzed the URLs you quoted with VirusTotal, and they don't seem to be malicious.

It is not clear why the second URL includes parameters related to your IP address, ISP, browser version, etc. , but keep in mind that these data (1) are stored in webserver logs when you visit any kind of website, so they are not exactly private.

However, let us assume that they were actually malicious redirects. For all purposes, a URL is a URL, regardless of whether you clicked on it or were redirected by another website. What I mean is that the content is exactly the same in any case and, as a result, that any effect (malicious or not) would occur in any case.

Unfortunately, the fact that you immediately closed the tabs doesn't mean that your computer couldn't be infected.

Imagine that you closed the tabs after 1 second from the redirects. If the malicious content (e.g. Javascript) in the URL was loaded within 1 second, your computer would be infected. This is absolutely possible, even if the whole page didn't load within 1 second. In fact, there are several questions on StackOverflow asking:

How can I run Javascript code before the whole page is loaded?

As an example, see https://stackoverflow.com/questions/2920129/can-i-run-javascript-before-the-whole-page-is-loaded . If regular web developers are aware of this fact, malware authors definitely know this and probably exploit this feature to infect computers even if the user closes the tab as soon as possible.

There are even particular techniques for optimizing the website loading speed. I'm not sure if they are exploited for malicious purposes, but they exist and thus can be exploited.

(1) It is true that web logs usually don't store the ISP, but if you don't hide behind a proxy, your dynamic IP address belongs to a range which is assigned to your ISP, so even this information is not private.

Community
  • 1
A. Darwin
  • 3,562
  • 2
  • 15
  • 26
  • Yes I know that any website has access to that browsing information, you just dont usually see it in the url. Also, shouldn't Chrome block malicious javascript from running? I was also under the impression it ran in a sandbox to prevent stuff like this. – Orbit Apr 07 '16 at 16:54
  • @Orbit the fact that the info was listed in the URL could be as innocuous as the developer using GET instead of POST. Doesn't necessarily imply malicious intent. – WorseDoughnut Apr 07 '16 at 17:02
  • @WorseDoughnut I'm aware of that, my comment was just meaning it was a bit out of the ordinary and given the context it was something to think about. Though i'm not sure how mixing up a GET/POST req plays into the mix. – Orbit Apr 07 '16 at 17:03
  • @Orbit Chrome helps blocking malware from running, but as usual is not 100% effective. Consider that even OS-level sandboxes (as opposed to application-level ones, as in the case of Chrome) can be bypassed. For more information, see http://security.stackexchange.com/questions/3848/can-you-get-virus-just-by-visiting-a-website-in-chrome . The answer was, and still is, yes. – A. Darwin Apr 07 '16 at 17:04
  • Keep in mind this attack can be done without JavaScript if the attacker can place or inject CSS and HTML. So checking the JavaScript on the host might not reveal any malicious code. And the link you click then fires the JavaScript to open up the other sites in additional tabs. https://jsfiddle.net/Loq1h8a8/ – Bacon Brad Jun 06 '16 at 18:08