Bitcoin Forum
November 12, 2024, 10:54:13 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Scam Alert: Fake Google Ad for coinmarketcap.com (very well done)  (Read 149 times)
12000suns (OP)
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
February 25, 2018, 11:34:40 PM
 #1

What happened::
There is high quality forged Google ad, impersonating coinmarketcap.com (see screenshot below)

After inspection we are unable to determine the mechanism but the following was observed:

URL is exactly the same. No homoglyphs, no mixed alphabets, it hashes the same with the legit string.
The excerpt from source:
Code:
<a style="display:none" href="/aclk?sa=L&amp;ai=DChcSEwi8oK7ejsLZAhVZibIKHQHCBHAYABABGgJscg&amp;sig=AOD64_0ZJhvOZ-0Nf2kK_QgC2W8ewzFjKw&amp;q=&amp;ved=0ahUKEwi64KjejsLZAhVFhiwKHQCbBLUQ0QwIKA&amp;adurl=" id="n1s0p2c0"></a>
<a class="_Jwu r-ieTJdWpaBQ8I" href="https://coinmarketcap.com/" id="vn1s0p2c0" onmousedown="return google.arwt(this)" ontouchstart="return google.arwt(this)" data-preconnect-urls="http://monkey-tracker.info/" jsl="$t t-zxXzjt1d4B0;$x 0;">Cryptocurrency Market Capitalizations | CoinMarketCap‎</a>
 
shows replaced data-preconnect-urls argument which is used for redirection to whatever the attacker needs.
Currently it redirects to https://thebitcoincode.com/, but as you can imagine same technique can be used in numerous phishing attempts.

If anyone has explanation how they did it, please submit a bug report @ Google
 
Disclaimer:
Reproduced on different machines with different browsers.
Unable to reproduce with another google account.

Reference screenshot:
https://imgur.com/a/t63y0

Additional Notes:
The domain is privacy protected and is linked to vps hosted in Moscow.

Coinky
Jr. Member
*
Offline Offline

Activity: 165
Merit: 2


View Profile
February 26, 2018, 01:05:48 AM
 #2

I don't think this is a scam or phishing attempt.This is link cloaking generally used by affiliate marketers.Generally the landing page link is originally pointed to the real site,but after the approval of ad,it will be redirected to their own page

This has to do with Google banning crypto ads ,may be

::::I DON'T WEAR ANY SIGNATURE:::
timerland
Hero Member
*****
Offline Offline

Activity: 1526
Merit: 596


View Profile
February 26, 2018, 08:50:46 AM
 #3

I don't think this is a scam or phishing attempt.This is link cloaking generally used by affiliate marketers.Generally the landing page link is originally pointed to the real site,but after the approval of ad,it will be redirected to their own page

This has to do with Google banning crypto ads ,may be

Well, isn't that the same as phishing?

You're getting someone who wants to go to one site to another. Isn't that the definition of phishing?

I have no idea how they do it, I don't have any experience in this field.

But what I can say is that thebitcoincode is definitely not legit and if there is a way to make thousands of dollars in a day, then everyone would be doing it and nobody would be bothering to do anything else on this world. Whoever implemented this phishing ad is obviously wanting to make affiliate earnings off this ripoff/scam.

Smiley
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!