Suspicious links from Skype

This afternoon I received a couple of suspicious link s from my friends on Skype whom I didn’t talk in ages. It was quite apparent that their accounts were compromised, and clicking the link would result in some unpleasant events.

These were the messages I received. The link contained URL-encoded “HTTP://” (%68%74%74%70%3A%2F%2F), so I could tell this is a link disguised as a Google search link.

Analysis

I searched online to see if I can analyze suspicious links without actually visiting them myself. sucuri.net provided such services, so I ran the link through their interface.

Sucuri reported that the link redirects to a website called “***your**cbd.”

I copied and visited the link in a virtual machine. Surely enough, the link redirected to “***your**cbd” website.

It is a static website advertising miraculous CBD gummies complete with a news article, testimonials and comments.

The comments were always posted within the last hour. Reply and Like buttons are just plaintext with colors. And every link on the website (even the share to SNS buttons) redirects to yet another site called “***gummies” where you can order a bottle of gummy for yourself.

The website had a timer to give a sense of urgency, so I decided to see what happens when the timer expires.

But sadly, nothing happened.

Update

I stumbled upon a post from naked security titled “How scammers abuse Google Search’s open redirect feature,” which describes the exact method analyzed in this post.