Nearly caught out! Mamutu saves the day.

JUst out of curiosity. I was googling jump start + car > http://www.google.com/search?client=opera&rls=en&q=jump start + car&sourceid=opera&ie=utf-8&oe=utf-8 > hXXp://www.carbuyingtips.com/jumpstart.htm

Looks like Mamutu saved my bacon! I was browsing with Opera.

I was wondering if this was/ is a bad site!. I am not a malware hunter/expert. Just an innocent traveller on the information superhighway.

 

Didn't stay on the page terribly long. Saw the whole page and my mouse was an hourglass, but no alert from Avira, TF or Prevx. Are you sure it's not an FP? Has happened with Emsisoft before according to many users...

 

That is why I am asking......I am not sure if it is a FP!

Just throwing it out there to the experts....if they want to investigate.

 

Oh, didn't understand you where asking first. Well, I certainly think it's an FP as I've tested going to the page myself with a great layered setup and no alerts thrown up at all.

 

I get nothing

 

Not sure what all this means, but I have [urlXXX.TQLKG.COM[/url] blocked in A-Squared, Malware IDS : host rules for the time being. No biggie!

 

Not too sure what it could be. One of the sponsored google ads might have thrown up your alert.

See:
http://www.browserdefender.com/site/carbuyingtips.com/

Bascially those google links, every so often but I'm seeing it more frequently, do point users to malicious sites.

 

Some very random adresses on that report would look like typical Conficker-pages to me.

 

The image in the top left corner is hosted at TQLKG.COM. I have it in my HOSTS file already but I doubt if it would be the end of the world if the image showed up.

 

Checked it out,nothing happening on my end

 

The connect out alert to tqlkg.com is to load an image, which, when clicked, will take the user
to anrdoezrs.net:

Code:

<a href="http://www.anrdoezrs.net/click-267874-3885710" target="_blank">

<img height="126" alt="New & Used Cars" src="[B]http://www.tqlkg.com/image-267874-3885710[/B]" width="126" border="3"></a>

The browser is redirected to yceml.net where the image is stored:



I see that it is an animated GIF which I didn't notice, since I keep animation disabled:



The image is place at the upper left of the page.



From the code above, it appears that anrdoezrs.net has probably paid for the ad since upon clicking, the user is taken to that site for quotes.

However there is a redirect which eventually lands the user at

You will notice that the numbers 3885710 appear both in the site and image URLs, probably referencing carbuyingtips.com as the starting point in the chain. With each click, a few coins are deposited somewhere!

Such is the nature of internet advertising!

----
rich

 

Great info there Rmus, thanks for that.

That's why in the first pic from Tarnak, the small image in the top left-hand corner was blocked by Mamutu/AM. Tarnak, was that alert from using AM with surf protection?

 

Saraceno,I think you hit the nail on the head.

 

exactly got to love the A2 surf protection i personally tested this application and all i can say is amazing , hats off guys

 

Nice explanation. Thanks

 

I concur, even if a little over my head.

 

You are all welcome.

Seeing what happens on this site is instructive, for it applies to many web sites.

1. Often, alerts turn out to be false alarms, triggered by whatever criteria the program uses in evaluating sites. Hence, some site advisors do not flag this URL. McAfee Site Advisor, for example, reports:

http://www.siteadvisor.com/sites/tqlkg.com/summary/

2. But tqlkg.com is not even the main player, since the image is actually hosted on yceml.net. This is very common, and not necessarily devious or malicious.

3. Regarding the image as a hyperlink: It used to be that hovering the mouse to see the URL before clicking gave you some indication of where you were going. This is no longer reliable, since the site in this case, anrdoezrs.net, is just a hosting site which redirects to cars.com/go/buyIndex...... The user has no idea where the final destination is. A quick search in this case didn't reveal anything bad about this site.

4. If the image/hyperlink that loaded turned out to connect to a malicious site that served up malware, the original site, carbuyingtips.com, might not even be aware, since many sites use rotating ads and depend on their hosting company to check them out. Hacking and infiltration can occur in many places in the chain.

Search the internet for "malicious advertisements" or "banner ads" for some good reading.

----
rich

 

Oh Yes!

The old fashioned multi-redirect rotation is been used for years, some for simple safe ads but many times just to throw a user off-track from their initial inquiry, some with not so innocent motives.

Thanks author and to Rmus as usual who is johnny-on-the-spot regarding such matters, mostly the malicious ones. Ugh!

EASTER

 

It's not malicious, but redirects can still confuse and trick a novice user. Only today I was reading a blog, thought the blog sounded ok, clicked on the 'home' link and was taken off to buy some product. The blog was one of those fake blog sites where every link on the page was a redirect!

 

A single SAFE redirect is tolerable i think, but multiple re-directs especially to ads no one is remotely interested in is a waste of bandwidth on their end, and conjures up suspicion on the user end.

It's so stupid & immature IMO to still be playing Windows 98 games in the 21st Century Computing Internet World, but here we still are folks, being slapped in the face yet again with the same old tactics now years after. And how about those same old pop under ads after closing the page or on closing, surprise! look at this screensaver. The exact same ones advertised years ago.

Ho Hum

 

Yep,

Great explanation by R(e)mus, son of the Trojan Aeneas, only this Rmus survives all sorts of attacks and won't be defeated by Romulus Wonder what his relation with Lone Wolf (Lupa Capotilane?) is

Thanks Kees

 

i think i had a Mamutu liscence for 1yr but i cant remember my email used lol..sure it was from GAOTD darn.

 

This is IMHO a welcome complimetary bonus of having a truly genuine article when it comes to a reliable Behavioral Blocker and the exact way that it should process it's information then react with dispatch accordingly along with a DENY option.

EASTER

 

Agreed 100%