Darkoshi

phishing email URL breakdown

Thu, 26 Jun 2025 02:06:35 GMT

My mom got a phishing (or malware) email made to appear like it was sent from Amazon:

Your Prime membership is renewing on Thu, June 26, 2025. However, we noticed that your default payment method for your membership is no longer valid.

To avoid losing your benefits, we'll try charging other active payment methods associated with your Amazon account. If we can't process the charge for your membership fee, your Prime benefits will be suspended.

Thank you,
Amazon Customer Service

The rest of the email looks like a normal Amazon email (although I don't have a real one to compare against). There are several obvious indications that the email is fake: an empty subject line, a non-amazon sender email even though it is shown as name "prime@amazon.com", and it only including an email address, not a name, in the "To" section and greeting.

The link provided in the email for updating her payment information is what I find curious. It is in this format:
https://mobile.mail.yahoo.com/apps/affiliateRouter?brandUrl=https%3A%2F%2Fgoogleads.g.doubleclick.net%2Fpcs%2Fclick%3F
followed by a bunch of characters and some other parameters at the end.

I asked MS Copilot about the URL and it provided the following details.

The base domain is mobile.mail.yahoo.com, which is a real Yahoo domain. But the key is in the query parameters — especially brandUrl and adurl.

The brandUrl parameter encodes a redirect to a Google Ads click tracker (googleads.g.doubleclick.net), which itself contains another redirect via adurl=... to a suspicious final destination: ....

This kind of multi-layered redirect is a classic phishing tactic. It uses trusted domains as intermediaries to:

Evade spam filters and security scanners.
Trick users into thinking the link is safe.
Obfuscate the final destination, which may host malware or a credential-harvesting page.

Everything after the ? is a query string made up of key=value pairs separated by &.

brandUrl: This is a URL-encoded link to a Google Ads click tracker (googleads.g.doubleclick.net). It contains its own nested parameters like xai, sai, sig, and adurl, which are used for ad tracking and redirection.

appName=YMailNorrin: Likely identifies the Yahoo Mail app variant or interface being used.

partner=1: Could indicate a specific affiliate or partner ID — possibly used for tracking referral traffic.

locale=1: Might refer to a language or region setting, though 1 is a bit ambiguous.

buckets=6oDiyy...: This is probably a session or experiment bucket ID — used for A/B testing or feature rollout tracking.

fbs_aeid=[gw_fbsaeid]: This is a Facebook Ads tracking parameter — possibly spoofed or copied to mimic legitimate ad traffic.

adurl (appears twice): This is the final redirect destination — in this case, a suspicious .pe domain. That’s the real payload of the phishing attempt.

This URL is a layered redirect trap:
Starts with a legit Yahoo domain.
Redirects through Google Ads infrastructure.
Ends at a potentially malicious .pe domain.

comments

hmmm malware?

Mon, 22 Apr 2019 04:15:19 GMT

This is the 2nd time in about as many days that when clicking a link, I've gotten a page like this, which is not the link I clicked:

[Firefox Logo - making it look like it's a Mozilla survey, but it isn't]
2019 Annual Visitor Survey undefined
Browser Opinion survey
April 21, 2019
Congratulations!

You’ve been personally selected to take part in our 2019 Annual Visitor Survey! Tell us what you think of Firefox and to say “Thank You” you’ll receive a chance to get an Apple iPhone Xs!
Question 1 of 4:
How often do you use Firefox ?

When I go back and click the link again, the expected page opens.

Today it happened upon clicking a link in the Google search results. Yesterday, I don't remember which page I had clicked the link from.

It seems to be malware:
https://duckduckgo.com/?q=firefox+%222019+Annual+Visitor+Survey%22&ia=web

(But none of the links in those search results look particularly trustworthy to me.)

An MBAM scan didn't find anything.
Currently doing an scan with my antivirus software.
... it didn't detect anything either.

This has been happening in Waterfox. I wonder if one of my add-ons got hacked. Hopefully not Waterfox itself.

Or maybe the sites that the links I clicked go to were hacked, to occasionally redirect the visitor to this bogus survey site. Both times, the domain of the survey URLs were different:
http://prize8384.bestlifehere24.life/...
http://competition8713.bumblbee82.life/...

comments

Thu, 11 Oct 2012 04:40:26 GMT

By the way, if you use MalwareBytes Anti-Malware, and get a message that a website is being blocked when opening my journal page, it is because MBAM is now blocking the IP # of the server that I've been storing photos on. I'm trying to figure out why, and if there's a way to get the problem resolved without switching hosting providers.

comments

Yahoo weirdness

Tue, 09 Oct 2012 04:02:23 GMT

Forestfen had difficulty logging into her Yahoo Mail account today. She was being prompted to perform an extra sign-in verification step (aka 2-factor authentication). It wasn't simply a prompt advising her to set up 2-factor authentication as I sometimes get; it was actually prompting her to enter a phone number for the security code to be sent to. There was no way of bypassing it.

To Forestfen's knowledge, she hadn't previously turned on 2-factor authentication, nor had she previously entered her phone number on any Yahoo Options page.

This was corroborated by the fact that the extra sign-in verification window had an entry field for her to enter her phone number in. That was the really odd thing about it (though that didn't occur to me until later). Anyone could have entered any phone number, and have been sent a code for logging in.

I tried logging into her email account from a completely different computer, and got the same prompt as she was getting. This at least assured me that the problem wasn't due to malware on her computer.

The prompt had 2 fields, a "Country" drop-down and a "Phone Number" entry field. There were 2 push-buttons - one to receive a phone call, and the other to receive a SMS message. Forestfen first tried the phone call option (she said she got an automated call with a 3-digit number), and then the SMS option (which sent a 5-digit number), and finally got logged in.

The Yahoo Account info page shows "second sign-in verification" is flagged as being in "beta".
I suppose this must be some bug in their logic.

comments

hmm? ahh... malware

Wed, 26 Oct 2011 02:07:35 GMT

I got an LJ Notice that "grevvlad" added me as a friend. So I looked at their profile. It doesn't show me on their friends list, so I suppose they added me and then removed me. I couldn't figure out if it was a real account/person, or something spammy/nefarious.

Their LJ seems to only have videos posted. If you click on some of their interests... say "moontale"... it shows several communities where this person is the only, or nearly the only poster. And the things posted on those communities are again mostly videos - music videos. Dark/industrial/metal type music. As well as videos of an anti-German(?) slant.

Certainly suspicious. But if it is something spammy, it is more complex than usual. And what is the purpose?

Ah! As I was browsing a few of those LJ pages, I got a popup that my MalwareBytes blocked something... so the purpose must be to install malware on people's computers, or something nefarious indeed.

Yay! for MalwareBytes Anti-Malware PRO. I installed it with the real-time protection module this weekend, after buying a license (4 licenses actually... one for my friend's computer, one for my mom's, one for Qiao, and one for me).

Today's log:
08:31:29 *** MESSAGE Protection started successfully
08:31:34 *** MESSAGE IP Protection started successfully
21:26:59 *** IP-BLOCK 82.146.59.111 (Type: outgoing, Port: 49523, Process: firefox.exe)
21:50:49 *** IP-BLOCK 82.146.59.111 (Type: outgoing, Port: 49799, Process: firefox.exe)

comments

malware and scams

Sat, 04 Jun 2011 06:11:01 GMT

I got a small fright today when a message popped up on my work computer. It seemed similar to the trojan that I had cleaned off of Forestfen's computer last weekend. It then brought up an artfully disguised browser page. I recognized it as malware-related right away, but wasn't sure if it had already somehow managed to infect the computer. Thankfully it didn't seem to get further than the browser screens (it had popped up while I was googling for info on SQL Server). I disconnected from the network right away, took some photos, and closed all my browsers. I did a full scan later, which found nothing.

( next window that popped up... cut for size )

Apparently scammers are now also calling people up on the telephone pretending to be with Microsoft and trying to scare them into thinking that their computer is infected.

comments