How is this website redirect working?
Clash Royale CLAN TAG#URR8PPP
Someone sent me a URL via WhatsApp (httpx://cadburys-prizes[.]com) that allegedly lets me claim a free box of chocolates. Obviously this is fake and I've seen similar websites before.
If I view the URL on my phone I end up at httpx://cadburys-prizes[dot]com/#forward where I'm prompted to answer some questions and then spam my WA contacts with further messages.
Viewing the source code for the page (by wget'ting it) , I can see a redirect to a bit.ly address. When I open the cadburys-prizes[.]com url on a (sanitized, virtual) desktop browser I get redirected to the bit.ly address which, judging from the URL, is a fake tech support site (the content is getting blocked by my network defences but I can imagine the scene).
What I don't understand is where the survey that shows on iPhone comes from? There is nothing I can see in the source of that page. Is it possible for an invisible proxy to be presenting a different index.html based on the user agent string? I did try to wget the page with mobile Safari UA but got the same result as without it.
phishing scam
asked Dec 21 '18 at 15:14
Darren
1355
add a comment |
Someone sent me a URL via WhatsApp (httpx://cadburys-prizes[.]com) that allegedly lets me claim a free box of chocolates. Obviously this is fake and I've seen similar websites before.
If I view the URL on my phone I end up at httpx://cadburys-prizes[dot]com/#forward where I'm prompted to answer some questions and then spam my WA contacts with further messages.
Viewing the source code for the page (by wget'ting it) , I can see a redirect to a bit.ly address. When I open the cadburys-prizes[.]com url on a (sanitized, virtual) desktop browser I get redirected to the bit.ly address which, judging from the URL, is a fake tech support site (the content is getting blocked by my network defences but I can imagine the scene).
What I don't understand is where the survey that shows on iPhone comes from? There is nothing I can see in the source of that page. Is it possible for an invisible proxy to be presenting a different index.html based on the user agent string? I did try to wget the page with mobile Safari UA but got the same result as without it.
phishing scam
asked Dec 21 '18 at 15:14
Darren
1355
add a comment |
Someone sent me a URL via WhatsApp (httpx://cadburys-prizes[.]com) that allegedly lets me claim a free box of chocolates. Obviously this is fake and I've seen similar websites before.
If I view the URL on my phone I end up at httpx://cadburys-prizes[dot]com/#forward where I'm prompted to answer some questions and then spam my WA contacts with further messages.
Viewing the source code for the page (by wget'ting it) , I can see a redirect to a bit.ly address. When I open the cadburys-prizes[.]com url on a (sanitized, virtual) desktop browser I get redirected to the bit.ly address which, judging from the URL, is a fake tech support site (the content is getting blocked by my network defences but I can imagine the scene).
What I don't understand is where the survey that shows on iPhone comes from? There is nothing I can see in the source of that page. Is it possible for an invisible proxy to be presenting a different index.html based on the user agent string? I did try to wget the page with mobile Safari UA but got the same result as without it.
phishing scam
asked Dec 21 '18 at 15:14
Darren
1355
Someone sent me a URL via WhatsApp (httpx://cadburys-prizes[.]com) that allegedly lets me claim a free box of chocolates. Obviously this is fake and I've seen similar websites before.
If I view the URL on my phone I end up at httpx://cadburys-prizes[dot]com/#forward where I'm prompted to answer some questions and then spam my WA contacts with further messages.
Viewing the source code for the page (by wget'ting it) , I can see a redirect to a bit.ly address. When I open the cadburys-prizes[.]com url on a (sanitized, virtual) desktop browser I get redirected to the bit.ly address which, judging from the URL, is a fake tech support site (the content is getting blocked by my network defences but I can imagine the scene).
What I don't understand is where the survey that shows on iPhone comes from? There is nothing I can see in the source of that page. Is it possible for an invisible proxy to be presenting a different index.html based on the user agent string? I did try to wget the page with mobile Safari UA but got the same result as without it.
phishing scam
phishing scam
asked Dec 21 '18 at 15:14
Darren
1355
asked Dec 21 '18 at 15:14
Darren
1355
edited Dec 21 '18 at 16:09
asked Dec 21 '18 at 15:14
Darren
1355
asked Dec 21 '18 at 15:14
Darren
1355
asked Dec 21 '18 at 15:14
Darren
1355
1355
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
There are various ways to fingerprint a client you're using. User-agent string is only a famous one. If you view the source code for cadburys-prizes[.]com, it uses meta refresh to redirect to httpx://bit[.]ly/2K1V332 after 2 seconds. It's possible that cadubrys-prizes may serve different content without using bit.ly. The bit.ly URL redirects to httpx://cash[.]trxmonetizer[.]com which seems to be doing the main job i.e. fingerprinting the client and presenting with whatever they feel like.
If it's doing everything on client, you can imitate any User-agent and inspect the response to dig deeper. However, it's also possible to do it on server-side for which they may or may not pass fingerprinting parameters in the request.
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200193%2fhow-is-this-website-redirect-working%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
There are various ways to fingerprint a client you're using. User-agent string is only a famous one. If you view the source code for cadburys-prizes[.]com, it uses meta refresh to redirect to httpx://bit[.]ly/2K1V332 after 2 seconds. It's possible that cadubrys-prizes may serve different content without using bit.ly. The bit.ly URL redirects to httpx://cash[.]trxmonetizer[.]com which seems to be doing the main job i.e. fingerprinting the client and presenting with whatever they feel like.
If it's doing everything on client, you can imitate any User-agent and inspect the response to dig deeper. However, it's also possible to do it on server-side for which they may or may not pass fingerprinting parameters in the request.
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
add a comment |
There are various ways to fingerprint a client you're using. User-agent string is only a famous one. If you view the source code for cadburys-prizes[.]com, it uses meta refresh to redirect to httpx://bit[.]ly/2K1V332 after 2 seconds. It's possible that cadubrys-prizes may serve different content without using bit.ly. The bit.ly URL redirects to httpx://cash[.]trxmonetizer[.]com which seems to be doing the main job i.e. fingerprinting the client and presenting with whatever they feel like.
If it's doing everything on client, you can imitate any User-agent and inspect the response to dig deeper. However, it's also possible to do it on server-side for which they may or may not pass fingerprinting parameters in the request.
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
add a comment |
There are various ways to fingerprint a client you're using. User-agent string is only a famous one. If you view the source code for cadburys-prizes[.]com, it uses meta refresh to redirect to httpx://bit[.]ly/2K1V332 after 2 seconds. It's possible that cadubrys-prizes may serve different content without using bit.ly. The bit.ly URL redirects to httpx://cash[.]trxmonetizer[.]com which seems to be doing the main job i.e. fingerprinting the client and presenting with whatever they feel like.
If it's doing everything on client, you can imitate any User-agent and inspect the response to dig deeper. However, it's also possible to do it on server-side for which they may or may not pass fingerprinting parameters in the request.
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
There are various ways to fingerprint a client you're using. User-agent string is only a famous one. If you view the source code for cadburys-prizes[.]com, it uses meta refresh to redirect to httpx://bit[.]ly/2K1V332 after 2 seconds. It's possible that cadubrys-prizes may serve different content without using bit.ly. The bit.ly URL redirects to httpx://cash[.]trxmonetizer[.]com which seems to be doing the main job i.e. fingerprinting the client and presenting with whatever they feel like.
If it's doing everything on client, you can imitate any User-agent and inspect the response to dig deeper. However, it's also possible to do it on server-side for which they may or may not pass fingerprinting parameters in the request.
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
answered Dec 21 '18 at 16:21
1lastBr3ath
672410
672410
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f200193%2fhow-is-this-website-redirect-working%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
