Mastodawn

I was searching for information about a domain for Dandelion Sprout's antimalware, and I came across these spammy results.
I think this is the second or third time I have seen this.

"links.hokaoneone.emailpowerreviews.com blocked by Anti ..." is clearly based on the GitHub issue I was researching this for: https://github.com/DandelionSprout/adfilt/issues/1226

Searching for "happy ghast harnesses float under the ghast" turns up a ton more of these websites.

So something is scraping the internet for random keywords in order to fill the search results with malicious websites.

Clicking on one of these domains redirects the user to a fake CAPTCHA asking the user to allow notifications (typical scam); in this case the domain is humanverify.co.in. uBlock Origin's ads list and EasyList both block earlier stages of the redirection. Subliminal messaging to use uBlock Origin.

I noticed the blogspot domain loaded a heavily obfuscated script from kettledroopingcontinuation.com.

Here is the URL: https://kettledroopingcontinuation[.]com/4d/be/e5/4dbee55e59fc95ea4356dbb197f2132c.js
And here is a copy of that script: https://gist.github.com/iam-py-test/375bc55e52d1cde68520fdc9afa85705

Searching for that domain returns a few interesting results:

This blog post from Cisco, otherwise just bragging about their project, has an offhand mention associating it with ApateWeb: https://blogs.cisco.com/security/securing-dns-black-hat-europe

I had never heard of ApateWeb, but searching for it turns up this report:

Unit 42 researchers discovered a large-scale campaign we call ApateWeb that uses a network of over 130,000 domains to deliver scareware, potentially unwanted programs (PUPs) and other scam pages. Among these PUPs, we have identified several adware programs including a rogue browser and different browser extensions.

https://unit42.paloaltonetworks.com/apateweb-scareware-pup-delivery-campaign/

kettledroopingcontinuation isn't mentioned in that report, and I haven't read it in depth, so I do not know if it aligns with what we are seeing here.

Another interesting search result is this Reddit comment: https://www.reddit.com/r/ShapeScan/comments/1p9am7p/comment/nrb1vbc/

kettledroopingcontinuation.com - Malicious script host

The initial post is promoting shapescan[.]pt, which is supposedly the domain for ShapeScan. However, a lot of people report the domain redirecting them to malicious websites when using a mobile device. While I would not put a ton of faith in whatever "cursor" is, this does support this domain being malicious.

Show thread

iam-py-test Feb 22

Full URL for the second one is https://learnquestverification[.]blogspot[.]com/?page=en-git-dandelionsprout-adfilt-1771698915993

That query parameter is interesting

en-git-dandelionsprout-adfilt

Full URL for the Happy Ghast is: https://answhmflj.blogspot[.]com/?page=en-git-itsblackgear-vanillabackport-1771682335971

Which is a real GitHub repository: https://github.com/itsblackgear/vanillabackport
More specifically, it is a Minecraft mod (no matter where I go, I can't escape Minecraft).

And what do you know: https://github.com/ItsBlackGear/VanillaBackport/issues/272

Wait, are they all from GitHub? A lot of them do seem to be

This one, titled "Head of Maintenance", is different:

https://answwgieq.blogspot.com/?jobs=id-job-head-of-maintenance-1771655668672

Not sure what "id-job" is.

GitHub - ItsBlackGear/VanillaBackport

Contribute to ItsBlackGear/VanillaBackport development by creating an account on GitHub.

GitHub

Show thread

iam-py-test

No, Mastodon, no.
There were several clickable links in the post. Why did you go for the non-clickable one.
Edit: I edited the post to defang this URL, and the Happy Ghast URL, and now it points to the third URL in the post (the legitimate GitHub, which is fine).
Seems weird that links which are non-clickable (in ` tags) still generate previews.

Show thread

iam-py-test Feb 22

Anyway, I fixed the original issue, which had nothing to do with this side quest.
I do love random side quests, as anyone who follows me should know by now.

I have fixed it in the MWB: https://github.com/iam-py-test/my_filters_001/commit/8fe4748ceaf67de662653a8dce0ed1181ecde977

I feel like I have seen humanverify.co.in before, somewhere. I checked, and its not in my list and never has been, so I have no idea where I saw it.

Fix https://infosec.exchange/@iampytest1/116111883171991337 · iam-py-test/my_filters_001@8fe4748

My filter lists - feel free to add these lists to uBlock Origin - Fix https://infosec.exchange/@iampytest1/116111883171991337 · iam-py-test/my_filters_001@8fe4748

GitHub

Show thread

iam-py-test Feb 22

Just testing to see if the scraper picks this up: https://github.com/iam-py-test/iam-py-test/issues/3

I picked a title which I know has appeared nowhere else, and which currently has no search results.

Major Study Proves Myths About Stalin Side Effects · Issue #3 · iam-py-test/iam-py-test

Just a test to see if GitHub scrapers pick up on this. I picked a title which has likely never appeared anywhere ever before, as to guarantee that if it shows up somewhere, it had to come from here...

GitHub