linustechtips.com throws "Malicious website blocked" (www.ftjcfx.com) in Acronis Cyber Protect Home Office

[LAR_Systems]

Browser, version and OS: 

Chrome Version 115.0.5790.111 (Official Build) (64-bit) Windows 11.

 

Steps to reproduce/what were you doing before it happened?

Reloading https://linustechtips.com/ with Arconis Cyber Protect Home Office installed.

 

What happened?

When I opened the forum I got the following warning in Acronis Cyber Protect Home Office.

Domain does not appear to resolve a site / content or is down, makes LTT appear "infected" by a Malicious website.

 

 

Opened the browser console to confirm the domain / image was called from the forum, and it was.  That domain is referenced in an ad block, seen in screen shots below.

 

 

 

 

What did you expect to happen?

For LTT forum to not throw "malware" warning with a sketchy dead domain

 

Link to a page where it happened, if applicable: 

https://linustechtips.com/

 

Screenshots of the issue, if applicable: 

 

Any other relevant details:

 

 

If it's a cloudflare error, what was the ray ID from the bottom of the error page?

[manikyath]

i've decided to delve into this because it got me curious, everything in that div is linustechtips.com for my end.

[Mojo-Jojo]

Also cannot reproduce - Are you sure nothing is being injected on your end or on the way? No MITM going on?

[LAR_Systems]

@Mojo-Jojo @manikyath

That div "SideBarAd" is for an ad-unit they tend to change populated by JavaScript or an ad network.

 

So for example, refreshing the site right now I'm not seeing that link anymore and get the LTT Screwdriver ad.   

 

But I could refresh it again and it serves me something else. 

 

I flagged this as a post because if they have / use an ad partner one of them may have been exploited or have a domain in an ad that's been exploited they can just block the domain I provided with the ad network, it happens.

 

Edit:  I have been able to confirm that if I keep refreshing the page eventually the add rotates through LTT / Non LTT ads then eventually serves ftjcfx.com again with the blocked warning so it's in the ad rotation currently.

[manikyath]

7 minutes ago, LAR_Systems said:

@Mojo-Jojo @manikyath

That div "SideBarAd" is for an ad-unit they tend to change populated by JavaScript or an ad network.

 

So for example, refreshing the site right now I'm not seeing that link anymore and get the LTT Screwdriver ad.   

 

But I could refresh it again and it serves me something else. 

 

I flagged this as a post because if they have / use an ad partner one of them may have been exploited or have a domain in an ad that's been exploited they can just block the domain I provided with the ad network, it happens.

 

Edit:  I have been able to confirm that if I keep refreshing the page eventually the add rotates through LTT / Non LTT ads then eventually serves ftjcfx.com again with the blocked warning so it's in the ad rotation currently.

strong theory, so i refreshed a bunch of times.. ignored the in-house ads (lttstore, screwdriver,; etc.) and checked for all third party ads i got.

oddly, most of them are linustechtips.com served images, except for two:

- vultr is served from their own site.

- altium designer is served trough the 'shady' URL.. clicking goes trough two hops before ending up on altium's website. my guess is that altium just saved a buck on who's doing their ad work.

attached image is the ad that causes this.

[Slick]

The Altium Designer ad is being removed. 

 

Thanks for bringing this to our attention 

[XNOR]

Compliments to LTT doing it the right way by hosting the ads on the LTT site itself, rather than serving whatever ad a third party comes up with. It's still not perfect, as this incident shows, but a user having to click on an ad for something bad to happen is a lot better than serving unknown content directly.

[LAR_Systems]

1 hour ago, XNOR said:

Compliments to LTT doing it the right way by hosting the ads on the LTT site itself, rather than serving whatever ad a third party comes up with. It's still not perfect, as this incident shows, but a user having to click on an ad for something bad to happen is a lot better than serving unknown content directly.

That's not the case however, the malware URL was called in the ads image call, allowing tracking etc. to the offending domain if you did not have software to block it.

 

The ad did not need to be clicked to to trigger the issue, users that were seeing that ad were doing so from the domain flagged as malware which could display information in the ad that is misleading etc. without clicking it.

 

Just posted to clarify, that this is where malware detection software etc. is useful because there can be edge cases to exploit an otherwise trusted source to enable monitoring, visual misdirection etc. not just execution of malware via click, download, install etc.

 

Cheers.

[XNOR]

On 8/9/2023 at 8:04 PM, LAR_Systems said:

That's not the case however, the malware URL was called in the ads image call, allowing tracking etc. to the offending domain if you did not have software to block it.

 

The ad did not need to be clicked to to trigger the issue, users that were seeing that ad were doing so from the domain flagged as malware which could display information in the ad that is misleading etc. without clicking it.

 

Just posted to clarify, that this is where malware detection software etc. is useful because there can be edge cases to exploit an otherwise trusted source to enable monitoring, visual misdirection etc. not just execution of malware via click, download, install etc.

 

Cheers.

As far as I can tell the ad images are served locally from pbs-prod.linustechtips.com. It doesn't make a lot of sense for some ads to be served locally, and others not. Isn't Arconis Cyber Protect Home Office doing some kind of link assessment to evaluate whether the links on a page are safe? Microsoft does something similar with their Safelinks, even though it's evaluated when you click on them, not ahead.

[colonel_mortis]

3 hours ago, XNOR said:

As far as I can tell the ad images are served locally from pbs-prod.linustechtips.com. It doesn't make a lot of sense for some ads to be served locally, and others not. Isn't Arconis Cyber Protect Home Office doing some kind of link assessment to evaluate whether the links on a page are safe? Microsoft does something similar with their Safelinks, even though it's evaluated when you click on them, not ahead.

Most ads are served locally, but some are (or were) not.