• Puzzling exploit

    From Philip Herlihy@21:1/5 to All on Wed May 29 19:58:55 2024
    XPost: comp.infosystems.www.authoring.misc, comp.infosystems.www.authoring.stylesheets

    (Anyone still in these now very quiet groups?) Cross-posted to comp.infosystems.www.authoring.html,
    comp.infosystems.www.authoring.misc,
    comp.infosystems.www.authoring.stylesheets

    I was sent an email about a forthcoming hospital procedure with a couple of links in it. When I clicked on one of them, a page came up asking me to allow notifications, and I was daft enough to click Allow. Very quickly I was getting notifications that my PC was full of viruses, with "click here to fix". I shut down, scanned for viruses (including offline) and nothing was found. Subsequent clicks on that link just brought up the correct page.

    Until I tried again a couple of days later. Same bogus page, though I wasn't fooled again. Still, subsequent clicks would bring up the correct page.

    I looked at the source code - the links there were simply plain text (no <A> or mailto: ), relying on the client or browser to recognise a URL and format/enable it accordingly. I'll post the code fragment (there is no script):

    <div style="direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
    Please watch an animation explaining your procedure before your pre-operative assessment appointment www.explainmyprocedure.com/barts</div>

    So I get the bogus page every couple of days, immediately after clicking that link. An equivalent link (to another site) in the same email never triggers the exploit. I guess the "first-time only" behaviour is part of concealment.

    I've reported it to the site owners who have apparently scanned and scanned, yet it's still there. Any ideas on where to look? Is there such a thing as a DNS exploit these days, for example?

    --

    Phil, London

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Apd@21:1/5 to Philip Herlihy on Wed May 29 23:18:12 2024
    XPost: comp.infosystems.www.authoring.misc, comp.infosystems.www.authoring.stylesheets

    "Philip Herlihy" wrote:
    [...]
    Please watch an animation explaining your procedure before your pre-operative assessment appointment www.explainmyprocedure.com/barts</div>

    So I get the bogus page every couple of days, immediately after clicking that link. An equivalent link (to another site) in the same email never triggers the exploit. I guess the "first-time only" behaviour is part of concealment.

    Yes. I've used curl to get headers only in the folowing tests and
    changed https to hxxps to protect the click=happy. First time it
    redirects like so:

    - - -
    curl -I hxxps://www.explainmyprocedure.com/barts/
    HTTP/1.1 302 Found
    Server: nginx
    Date: Wed, 29 May 2024 20:11:04 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    X-Redirect-By: WordPress
    Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
    - - -

    That "bellatrixmeissa" domain link then redirects to check you're not
    a robot and gets scripts from other domains, ending up who knows where.

    The redirect on subsequent tries goes to what I presume is the correct
    place, a login screen:

    - - -
    ...
    ...
    X-Redirect-By: WordPress
    Location: hxxps://www.explainmyprocedure.com/barts?password-protected=login&[...etc.]
    - - -

    I've reported it to the site owners who have apparently scanned and scanned, yet it's still there. Any ideas on where to look? Is there such a thing as a DNS exploit these days, for example?

    They're using Wordprees on the site which is notorious for being
    hacked and they need to fix whatever the vulnerability is. If they
    look at their WP code for the "wp_redirect" function or what calls it
    they should find the malicious code: <https://developer.wordpress.org/reference/functions/wp_redirect/>

    I'm presuming "explainmyprocedure.com" is a legitimate site to get
    info from Barts hospital, assuming the email really came from them.

    (removed comp.infosystems.www.authoring.stylesheets from followups)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philip Herlihy@21:1/5 to All on Fri May 31 10:51:58 2024
    XPost: comp.infosystems.www.authoring.misc

    In article <v389k1$1av9k$1@apd.eternal-september.org>, Apd wrote...

    "Philip Herlihy" wrote:
    [...]
    Please watch an animation explaining your procedure before your pre-operative
    assessment appointment www.explainmyprocedure.com/barts</div>

    So I get the bogus page every couple of days, immediately after clicking that
    link. An equivalent link (to another site) in the same email never triggers
    the exploit. I guess the "first-time only" behaviour is part of concealment.

    Yes. I've used curl to get headers only in the folowing tests and
    changed https to hxxps to protect the click=happy. First time it
    redirects like so:

    - - -
    curl -I hxxps://www.explainmyprocedure.com/barts/
    HTTP/1.1 302 Found
    Server: nginx
    Date: Wed, 29 May 2024 20:11:04 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    X-Redirect-By: WordPress
    Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
    - - -

    That "bellatrixmeissa" domain link then redirects to check you're not
    a robot and gets scripts from other domains, ending up who knows where.

    The redirect on subsequent tries goes to what I presume is the correct
    place, a login screen:

    - - -
    ...
    ...
    X-Redirect-By: WordPress
    Location: hxxps://www.explainmyprocedure.com/barts?password-protected=login&[...etc.]
    - - -

    I've reported it to the site owners who have apparently scanned and scanned,
    yet it's still there. Any ideas on where to look? Is there such a thing as
    a DNS exploit these days, for example?

    They're using Wordprees on the site which is notorious for being
    hacked and they need to fix whatever the vulnerability is. If they
    look at their WP code for the "wp_redirect" function or what calls it
    they should find the malicious code: <https://developer.wordpress.org/reference/functions/wp_redirect/>

    I'm presuming "explainmyprocedure.com" is a legitimate site to get
    info from Barts hospital, assuming the email really came from them.

    (removed comp.infosystems.www.authoring.stylesheets from followups)

    Thank you - that's immensely helpful, and I've learned something for sure.
    Yes, it's a legitimate provider of animations, and Barts Hospital is one of their clients.

    I almost _never_ crosspost, and while I looked for the "Followup-To" field I mananged to miss the "Advanced Fields" button in my client - sorry!

    --

    Phil, London

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Apd@21:1/5 to Philip Herlihy on Fri May 31 14:24:48 2024
    XPost: comp.infosystems.www.authoring.misc

    "Philip Herlihy" wrote:
    In article <v389k1$1av9k$1@apd.eternal-september.org>, Apd wrote...
    [...]
    I'm presuming "explainmyprocedure.com" is a legitimate site to get
    info from Barts hospital, assuming the email really came from them.

    (removed comp.infosystems.www.authoring.stylesheets from followups)

    Thank you - that's immensely helpful, and I've learned something for
    sure. Yes, it's a legitimate provider of animations, and Barts Hospital
    is one of their clients.

    I also informed "explainmyprocedure.com" via their contact page at the
    time of my post but the problem is still there. Previously, the
    redirect was to (https):

    qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g

    Today, it's:

    qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0

    Only the "click_id" parameter has changed.

    This is a serious security issue. "Explain my procedure" appear to be
    using Cloudways managed hosting[1], so they may not be in direct
    control of the code. Cloudways say they provide secure Wordpress
    hosting which has obviously failed here. You might also want to inform
    Barts of the problem.

    [1] <https://www.cloudways.com/en/>

    How I dicovered that:

    host www.explainmyprocedure.com
    www.explainmyprocedure.com has address 206.189.115.184

    host 206.189.115.184
    184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.

    I almost _never_ crosspost, and while I looked for the "Followup-To"
    field I mananged to miss the "Advanced Fields" button in my client -
    sorry!

    No problem. I've now removed comp.infosystems.www.authoring.misc from followups, as it's dead.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philip Herlihy@21:1/5 to All on Fri May 31 20:34:39 2024
    In article <v3cj6a$289ja$1@apd.eternal-september.org>, Apd wrote...
    I also informed "explainmyprocedure.com" via their contact page at the
    time of my post but the problem is still there. Previously, the
    redirect was to (https):

    qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g

    Today, it's:

    qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0

    Only the "click_id" parameter has changed.

    This is a serious security issue. "Explain my procedure" appear to be
    using Cloudways managed hosting[1], so they may not be in direct
    control of the code. Cloudways say they provide secure Wordpress
    hosting which has obviously failed here. You might also want to inform
    Barts of the problem.

    [1] <https://www.cloudways.com/en/>

    How I dicovered that:

    host www.explainmyprocedure.com
    www.explainmyprocedure.com has address 206.189.115.184

    host 206.189.115.184
    184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.



    Thank you, Apd - I'm really grateful for this. I'm simply a patient about to have a procedure at Barts, and invited to watch an animation about it (provided by Explainmyprocedure.com). They've told me they are urgently looking into it, but I'm guessing they have been struggling as this has been going on for many days. I've also notified Barts, though I haven't had a response from them.

    I passed your observations on to Explainmyprocedure and invited them to call me if they need an explanation.

    Wish me luck on Monday (should be a walk in the park, but you never know...)

    --

    Phil, London

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Apd@21:1/5 to Philip Herlihy on Fri May 31 22:41:22 2024
    "Philip Herlihy" wrote:
    Thank you, Apd - I'm really grateful for this. I'm simply a patient
    about to have a procedure at Barts, and invited to watch an animation
    about it (provided by Explainmyprocedure.com). They've told me they are urgently looking into it, but I'm guessing they have been struggling as
    this has been going on for many days. I've also notified Barts, though
    I haven't had a response from them.

    I passed your observations on to Explainmyprocedure and invited them to
    call me if they need an explanation.

    I found out more about the payload after inspecting what's loaded at
    the redirects. Obfuscated script is run from "js.streampsh.top" which
    is a known ad pusher:

    <https://malwaretips.com/blogs/remove-streampsh-top/>
    "Streampsh.top is a site that displays fake messages to trick you into subscribing to its spam push notifications".

    The article was written in 2022 so functionality and messages seen
    may differ slightly now. It advises to reset your browser to default
    settings but unless you're experiencing problems like they describe,
    you should be ok.

    Wish me luck on Monday (should be a walk in the park, but you never
    know...)

    Sure, I hope it goes well for you.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Arno Welzel@21:1/5 to All on Mon Jun 3 09:03:08 2024
    XPost: comp.infosystems.www.authoring.misc

    Apd, 2024-05-30 00:18:

    "Philip Herlihy" wrote:
    [...]
    Please watch an animation explaining your procedure before your pre-operative
    assessment appointment www.explainmyprocedure.com/barts</div>

    So I get the bogus page every couple of days, immediately after clicking that
    link. An equivalent link (to another site) in the same email never triggers >> the exploit. I guess the "first-time only" behaviour is part of concealment.

    Yes. I've used curl to get headers only in the folowing tests and
    changed https to hxxps to protect the click=happy. First time it
    redirects like so:

    - - -
    curl -I hxxps://www.explainmyprocedure.com/barts/
    HTTP/1.1 302 Found
    Server: nginx
    Date: Wed, 29 May 2024 20:11:04 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    X-Redirect-By: WordPress
    Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g

    [...]

    They're using Wordprees on the site which is notorious for being
    hacked and they need to fix whatever the vulnerability is. If they

    WordPress itself is quite robust nowadays and they have implemented
    quite strict coding guidelines including code analysis using psalm years
    ago.

    However - plugins and themes are often not as secure and most likely it
    is a hackable plugin causing the trouble here.

    --
    Arno Welzel
    https://arnowelzel.de

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Apd@21:1/5 to Arno Welzel on Tue Jun 4 11:59:12 2024
    "Arno Welzel" wrote:
    Apd, 2024-05-30 00:18:
    They're using Wordprees on the site which is notorious for being
    hacked and they need to fix whatever the vulnerability is. If they

    WordPress itself is quite robust nowadays and they have implemented
    quite strict coding guidelines including code analysis using psalm years
    ago.

    However - plugins and themes are often not as secure and most likely it
    is a hackable plugin causing the trouble here.

    I thought it might be. Anyway, I'll note they now appear to have fixed
    the problem.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philip Herlihy@21:1/5 to All on Mon Jun 17 17:17:21 2024
    In article <v3cj6a$289ja$1@apd.eternal-september.org>, Apd wrote...

    "Philip Herlihy" wrote:
    In article <v389k1$1av9k$1@apd.eternal-september.org>, Apd wrote...
    [...]
    I'm presuming "explainmyprocedure.com" is a legitimate site to get
    info from Barts hospital, assuming the email really came from them.

    (removed comp.infosystems.www.authoring.stylesheets from followups)

    Thank you - that's immensely helpful, and I've learned something for
    sure. Yes, it's a legitimate provider of animations, and Barts Hospital
    is one of their clients.

    I also informed "explainmyprocedure.com" via their contact page at the
    time of my post but the problem is still there. Previously, the
    redirect was to (https):

    qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g

    Today, it's:

    qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0

    Only the "click_id" parameter has changed.

    This is a serious security issue. "Explain my procedure" appear to be
    using Cloudways managed hosting[1], so they may not be in direct
    control of the code. Cloudways say they provide secure Wordpress
    hosting which has obviously failed here. You might also want to inform
    Barts of the problem.

    [1] <https://www.cloudways.com/en/>

    How I dicovered that:

    host www.explainmyprocedure.com
    www.explainmyprocedure.com has address 206.189.115.184

    host 206.189.115.184
    184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.

    I almost _never_ crosspost, and while I looked for the "Followup-To"
    field I mananged to miss the "Advanced Fields" button in my client -
    sorry!

    No problem. I've now removed comp.infosystems.www.authoring.misc from followups, as it's dead.

    The problem is still there. I tried the 'curl' line you suggested, and it came back 'clean', but when I clicked the link in the original email today I still get the invitation to Allow Notifications (with a cheery cartoon). And up pops a tab with a scam in it. (I closed all tabs without any interaction.)

    They are obviously struggling to find and clear this malware, which I've seen only appears when the link hasn't been clicked from my location for (I think) several days, so it's got some concealment built-in. Do you have any further thoughts?

    (My procedure - helpfully explained by the 'victim' site - went well, by the way!)

    --

    Phil, London

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Apd@21:1/5 to Philip Herlihy on Mon Jun 17 22:39:19 2024
    "Philip Herlihy" wrote:
    The problem is still there. I tried the 'curl' line you suggested, and it came
    back 'clean', but when I clicked the link in the original email today I still get the invitation to Allow Notifications (with a cheery cartoon). And up pops
    a tab with a scam in it. (I closed all tabs without any interaction.)

    Yes, it's now doing the same again for me. I used curl but sent a
    browser user-agent string which is sometimes checked for by malware.
    The redirect is still in place to the same domain on first visit (qltuh.bellatrixmeissa.com).

    They are obviously struggling to find and clear this malware, which I've seen only appears when the link hasn't been clicked from my location for (I think) several days, so it's got some concealment built-in. Do you have any further thoughts?

    Did you get any further feedback from them (I got none at all) or warn
    the hospital? I've now sent an abuse report to ExplainMyProcedure's
    hosting provider, DigitalOcean. Hopefully they'll do something.

    (My procedure - helpfully explained by the 'victim' site - went well, by the way!)

    Excellent!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Allodoxaphobia@21:1/5 to Apd on Tue Jun 18 16:36:22 2024
    On Mon, 17 Jun 2024 22:39:19 +0100, Apd wrote:

    I've now sent an abuse report to ExplainMyProcedure's
    hosting provider, DigitalOcean. Hopefully they'll do something.

    WHO!?!?!? *digital sewer ???* LMAO!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philip Herlihy@21:1/5 to All on Wed Jun 19 11:22:36 2024
    In article <v4qafg$ueq8$1@apd.eternal-september.org>, Apd wrote...
    Did you get any further feedback from them (I got none at all) or warn
    the hospital? I've now sent an abuse report to ExplainMyProcedure's
    hosting provider, DigitalOcean. Hopefully they'll do something.



    Thanks for this. Yes, they do respond. They thought they'd fixed it, but I've warned them that they haven't. I also alerted the hospital, but they haven't responded.

    The malware only shows itself if I haven't connected to the site for a number of days. I'm not sure how long that number of days is. At the moment I check it once a week.

    --

    Phil, London

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Apd@21:1/5 to Philip Herlihy on Thu Jun 20 10:37:24 2024
    "Philip Herlihy" wrote:
    In article <v4qafg$ueq8$1@apd.eternal-september.org>, Apd wrote...
    Did you get any further feedback from them (I got none at all) or warn
    the hospital? I've now sent an abuse report to ExplainMyProcedure's
    hosting provider, DigitalOcean. Hopefully they'll do something.

    Thanks for this. Yes, they do respond. They thought they'd fixed it,
    but I've warned them that they haven't. I also alerted the hospital,
    but they haven't responded.

    DigitalOcean did reply and said they've been notified.

    The malware only shows itself if I haven't connected to the site for a
    number of days. I'm not sure how long that number of days is. At the
    moment I check it once a week.

    Just tried now - it's still there. I don't think there's anything else
    we can do. They should hire some competent IT staff!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philip Herlihy@21:1/5 to All on Thu Jun 20 11:37:38 2024
    In article <v50t8t$2gt0c$1@apd.eternal-september.org>, Apd wrote...
    Just tried now - it's still there. I don't think there's anything else
    we can do. They should hire some competent IT staff!


    Yes!

    --

    Phil, London

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Philip Herlihy@21:1/5 to All on Sun Jun 23 21:23:00 2024
    In article <MPG.40de16d07276280d989ada@news.eternal-september.org>, Philip Herlihy wrote...

    In article <v50t8t$2gt0c$1@apd.eternal-september.org>, Apd wrote...
    Just tried now - it's still there. I don't think there's anything else
    we can do. They should hire some competent IT staff!


    Yes!

    And they did. They hired a specialist, who reportedly found the malware and removed it. :-)

    --

    Phil, London

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Apd@21:1/5 to Philip Herlihy on Mon Jun 24 09:57:47 2024
    "Philip Herlihy" wrote:
    In article <MPG.40de16d07276280d989ada@news.eternal-september.org>,
    Philip Herlihy wrote...
    In article <v50t8t$2gt0c$1@apd.eternal-september.org>, Apd wrote...
    Just tried now - it's still there. I don't think there's anything else
    we can do. They should hire some competent IT staff!

    Yes!

    And they did. They hired a specialist, who reportedly found the malware
    and removed it. :-)

    Great stuff; and about time, too!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)