life. my life.
No Script? No Problem

I was looking at a twitter direct message to me that was suspicious and today I decided to try and figure out what it was doing. I know as soon as you click on it, it redirects a bunch of times until you get to a questionable cnbc page. It looks really legitimate because the real url for cnbc is this, while the fake one is:

cnbc.com-exclusive.us? (somethingsomethingsomething)

The redirects happens in zero seconds so you have to be quick to get the source code of the page. It doesn’t happen instantaneously because even though the content is very little, redirects take a little bit longer to load. Or something like that.

Anyway, I was able to get the source code of the first redirect which had two main tags in them.

<noscript> and <script>

The noscript tag means that if javascript is disabled on the current browser, everything in the noscript tag will be executed. Basically what this means is, even though you have javascript disabled, this clever attacker can STILL redirect your browser to a page that they can control.

It just so happens that what this attacker did in the noscript tags, they also did in the script tags; a redirect to another page. This redirect took us to another redirect to a website that looks suspicious. The homepage looks tranquil but everything after it is scary. This webpage refreshes the current page with a different page. That page is where everything is.

I have a feeling that because the webpage is refreshed with a different page, that’s why WOT doesn’t pick up on it and block it like my settings should.

Anyway, these three websites from w3 are what I used to figure out what is going on:

http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_noscript

This part of the w3 is the noscript tags.

http://www.w3schools.com/html/tryit.asp?filename=tryhtml_redirect

This part redirects your browser using the meta tags.

http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_loc_replace

Finally, this redirects your page using the script tag. This uses javascript to function (hence, the script tag) and is blocked by NoScript or turning off javascript functionality.

Whew.

Cookies for all for reading :D

Posted 3 months ago