Bitcoin Forum
October 23, 2018, 02:16:16 AM *
News: Make sure you are not using versions of Bitcoin Core other than 0.17.0 [Torrent], 0.16.3, 0.15.2, or 0.14.3. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Scam Alert: Fake Google Ad for coinmarketcap.com (very well done)  (Read 49 times)
12000suns
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
February 25, 2018, 11:34:40 PM
 #1

What happened::
There is high quality forged Google ad, impersonating coinmarketcap.com (see screenshot below)

After inspection we are unable to determine the mechanism but the following was observed:

URL is exactly the same. No homoglyphs, no mixed alphabets, it hashes the same with the legit string.
The excerpt from source:
Code:
<a style="display:none" href="/aclk?sa=L&amp;ai=DChcSEwi8oK7ejsLZAhVZibIKHQHCBHAYABABGgJscg&amp;sig=AOD64_0ZJhvOZ-0Nf2kK_QgC2W8ewzFjKw&amp;q=&amp;ved=0ahUKEwi64KjejsLZAhVFhiwKHQCbBLUQ0QwIKA&amp;adurl=" id="n1s0p2c0"></a>
<a class="_Jwu r-ieTJdWpaBQ8I" href="https://coinmarketcap.com/" id="vn1s0p2c0" onmousedown="return google.arwt(this)" ontouchstart="return google.arwt(this)" data-preconnect-urls="http://monkey-tracker.info/" jsl="$t t-zxXzjt1d4B0;$x 0;">Cryptocurrency Market Capitalizations | CoinMarketCap‎</a>
 
shows replaced data-preconnect-urls argument which is used for redirection to whatever the attacker needs.
Currently it redirects to https://thebitcoincode.com/, but as you can imagine same technique can be used in numerous phishing attempts.

If anyone has explanation how they did it, please submit a bug report @ Google
 
Disclaimer:
Reproduced on different machines with different browsers.
Unable to reproduce with another google account.

Reference screenshot:
https://imgur.com/a/t63y0

Additional Notes:
The domain is privacy protected and is linked to vps hosted in Moscow.

1540260976
Hero Member
*
Offline Offline

Posts: 1540260976

View Profile Personal Message (Offline)

Ignore
1540260976
Reply with quote  #2

1540260976
Report to moderator
1540260976
Hero Member
*
Offline Offline

Posts: 1540260976

View Profile Personal Message (Offline)

Ignore
1540260976
Reply with quote  #2

1540260976
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1540260976
Hero Member
*
Offline Offline

Posts: 1540260976

View Profile Personal Message (Offline)

Ignore
1540260976
Reply with quote  #2

1540260976
Report to moderator
1540260976
Hero Member
*
Offline Offline

Posts: 1540260976

View Profile Personal Message (Offline)

Ignore
1540260976
Reply with quote  #2

1540260976
Report to moderator
Coinky
Jr. Member
*
Offline Offline

Activity: 167
Merit: 2


View Profile
February 26, 2018, 01:05:48 AM
 #2

I don't think this is a scam or phishing attempt.This is link cloaking generally used by affiliate marketers.Generally the landing page link is originally pointed to the real site,but after the approval of ad,it will be redirected to their own page

This has to do with Google banning crypto ads ,may be

::::I DON'T WEAR ANY SIGNATURE:::
timerland
Hero Member
*****
Offline Offline

Activity: 924
Merit: 540


View Profile
February 26, 2018, 08:50:46 AM
 #3

I don't think this is a scam or phishing attempt.This is link cloaking generally used by affiliate marketers.Generally the landing page link is originally pointed to the real site,but after the approval of ad,it will be redirected to their own page

This has to do with Google banning crypto ads ,may be

Well, isn't that the same as phishing?

You're getting someone who wants to go to one site to another. Isn't that the definition of phishing?

I have no idea how they do it, I don't have any experience in this field.

But what I can say is that thebitcoincode is definitely not legit and if there is a way to make thousands of dollars in a day, then everyone would be doing it and nobody would be bothering to do anything else on this world. Whoever implemented this phishing ad is obviously wanting to make affiliate earnings off this ripoff/scam.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!