Friend sent me a strange message she got with the following link:
Attempt 1: www
I booted into my REMnux VM and turned on Burp suite to intercept the traffic. If you leave off the trailing slash (like in the text above), it just redirects to /Indiana/g/
then proceeds as following:
Step 1: Link redirects to dnkshop <dot> net:
Step 2: dnk shop redirects to itself, but now with a sid cookie and a JWT token
I decoded the JWT token, it was created, presumably, by the library Joken. This is a library for a programming language called Elixir.
With the token and cookie set, it just immediately redirects you to a new booknower <dot> com URL with some random strings in the URL:
Finally, this URL just redirects back to google.:
I tried to mess with the parameters of the booknower URL but I kept getting 503 errors like the server was down. I noticed if I retired the URL, the sequence was now different.
Attempt 2: ww1
In this attempt, it navigated me to ww1 <dot> dnkshop <dot> net this time:
This time the contents of the page were way different. It set an adblock cookie and loaded a parking.2.86.1.js
file. It also contains another token/base64 string to a window.park
Decoding this gives a JSON response basically building the request headers and contains my IP (which in this instance is going through a VPN).
I also checked out the JS file. It is very long and has mentions to bodis <dot> com, the code is also semi-obfuscated. All the variable names are just random letters. I looked up bodis.com and it appears to be a legitimate domain that uses some sort of tracking pixel for advertisements as per this page.
Next, I am redirect and it makes two POST
requests on the www1<dot>dnkshop<dot>net
domain, to /_fd
first:
Which then appears to take that content and use it as a signature in it’s request to /_zc
:
I then get redirected to GoDaddy’s purchase page to try and buy the dnkshop domain myself:
Which it does happen to be available, interestingly. My assumption is after tracking all of the requests, it perhaps is hoping the end-user is signed into GoDaddy and maybe the cookies would try to auto-purchase the domain for you?
Attempt 3: ww2
It’s interesting because each time I click the link, the URL it first sends me to appears to change. Let’s check this rabbit hole.
It has further tracking cookies that track the sale form:
And it also sends a big blob of data to itself on the /ls.php
endpoint:
Further Attempts
I ran it a bunch of different times and it would vary between “domain for sale” pages, but once I got redirected through another few hoops to a “job posting” page.
From the booknower website again, but now to american listed:
Which then redirects to an ad campaign, that redirects me to jobs in New York (where my VPN is currently set):
Then it hops through a bunch of other trackers and a jobhelper<dot>com website:
Conclusion
This URL is definitely odd. It always will redirect to the dnkshop <dot> net, with variations of www, ww1, ww2. The page you return on can vary as well. The majority of the time it took me to a page stating the domain was for sale, even though a whois
clearly indicates it’s registered and valid until 2023:
Only on rare occasions could I get it to redirect me to some other site such as the job posting site. It must have some sort of randomization feature on where it redirects you. I have tried clearing my cache/cookies each time as well but the majority of the time I always got some sort of for sale page. The “for sale” page was some variation of the following:
Clicking any of the links just grabbed info from google but kept you on the site. Presumably they earned a few cents for each click as ad revenue maybe? It’s definitely an odd link as sometimes it would fire out to someplace else, but mostly would just show for sale.