iam-py-test  

A popup on YouTube downloader https://en.loader[.]to/4/ leads to wnouncillorswhowish.com, which redirects to playerhit.co, ending on the website depicted in the screenshot: https://l.gamerdenz.com/opera/player/ with a ton of query parameters.

If you remove those query parameters, the fake popup still shows but is broken: (behind CloudFlare): https://tria.ge/260606-wp1lnsbs7x/behavioral1

Clicking on the popup leads, eventually, to this OperaGX affiliate page: https://www.opera.com/get/opera-gx?utm_medium=pa&utm_campaign=PWN_US_HVR_9571_WEB_1977&utm_id=06a9d97b17374b1da991b7ca31d795f7&utm_source=PWNgames&edition=std-2

I have reported this to Opera via their online contact form—I could not find a specific abuse reporting email or form—and am waiting a response.

#Scam #OperaGX

Jun 6 at 6:08pmWeb
Show threadiam-py-test  Jun 6

EasyList just blocks every OperaGX affiliate link.

I've done the same thing, albeit worse: https://github.com/iam-py-test/my_filters_001/commit/8e1480b02a2f4c603cb20a2849c766b8c3d6f6a3

I might revert this depending on how Opera handles this. I also might just change it to strip the affiliate parameters, though that raises some ethical problems given there are legitimate OperaGX affiliates.

https://infosec.exchange/@iampytest1/112546751529440700

Show threadiam-py-test  Jun 6

I think there is a substantial difference between an anti-ad list blocking or stripping affiliate links, and a specifically anti-scam/antimalware list doing the same thing, hence my concerns.

Not that anyone uses my barely maintained list.

Show threadiam-py-test  Jun 6

Anyway, uBlock Origin users are protected from pretty much every stage of this.

AdGuard too, probably, though I only tested uBo.