Block Iframes, JavaScript, Redirections

Status
Not open for further replies.

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
No more problems here after PC reboot, like these I exposed in my precedent post.
All sliders of Quick Filters I have set remain on max. on the right.
____________________________

I was trying to watch YouTube video:

On my Cent browser - Version 1.8.9.28 portable (based on Chromium 49) no problem, if you untick the last box of UI Protection only.
On my Slimjet - Version 10.0.13.0 portable (based on Chromium 50.0.2661.75) no problem, if unticked two last boxes of UI Protection.

All sliders of Quick Filters are on max. on the right.
 
Last edited:
  • Like
Reactions: given

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
On Chromium forks: I threw out the "Policy Control - JavaScript and Flash blocker" cause I have ContentBlockHelper, latest version... who easily co-exists with ScriptSafe here.
And disabled "Script Blocker for Chrome" for the same reason.

On Chromium forks: Downloaded JavaScript Popup Blocker : JavaScript Popup Blocker

On Firefox: Downloaded Policy Control: Policy Control - JavaScript and Flash blocker – Add-ons for Firefox
- but before, this happened:
I got a full page proposal to download another Firefox, with two "confirm" modal window dialogs, after clicking on the "AdBusters - AdBlocker plus Ad-O-Meter" icon in the browser.

So I forced reboot of PC - all is OK. Then removed this AdBusters... it's hacked maybe?..
hmm hacked by true Firefox page, cause WebExtensions change maybe...cause I have Firefox ESR v52.5.0
Maybe had this one: Web Push notifications in Firefox
"Web Push allows websites to notify users of new messages or updated content. While Firefox is open, websites who have been granted permissions can send notifications to your browser and display them on the screen. Users can easily allow or disable notifications and control how these notifications appear."
- I have not notched "do not disturb me" in Options/content, that's why I had this modal - maybe
 
Last edited:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
ScriptSafe on Chrome Updated to v1.0.9.2! (Monday, December 4, 2017)

In this release you will find the following updates:

  • v1.0.9.2:
    • Added new "Recent Log" page where you can view all recently blocked or allowed items (the "Log" link can be found in the top-right corner of the ScriptSafe panel)
    • Added the ability to block Browser Plugin Enumeration (under Fingerprint Protection, option is disabled by default so feel free to enable it)
    • Added the ability to block Bluetooth Enumeration (under Fingerprint Protection, option is disabled by default so feel free to enable it)
    • Added ability to control whether or not Remove Possible Hash Tracking applies to whitelisted sites or not (default: disabled)
    • Added ability to control the Keyboard Fingerprinting Protection keypress delay
    • Added the ability to revert to default settings (found under "Import / Restore Settings")
    • Added more browser and operating systems for User Agent Spoofing (thanks nyancat18)
    • Added Polish locale (thanks Galileusz)
    • Improved syncing reliability and added support for handling data compression (to be switched on in an upcoming update)
    • Improved Browser User Agent Spoofing and added ability to enter a custom user agent string
    • Improved WebGL Fingerprint Protection
    • Improved Clipboard Interference Protection
    • Improved domain matching logic
    • Fixed "Trust" option not being available for domains starting with a wildcard match
    • Updated unwanted content providers list
    • Minor updates to German, Japanese, Chinese (Traditional), and Spanish locales
    • Minor panel updates
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Well recently - I use this good Policy Control on Chromium forks...

To stop abs.twimg.com k series (ha! uh), I use recently on chromium forks (Cent...) this combo: ScriptSafe (it's normal...) and Policy Control with Scripts on block third party - to block these k items - seen on ContentBlockHelper! - and to stop twitter black nag screens (white "sign up on twitter" etc on black twitter page)
- it's more user-friendly that ScriptSafe/ContentBlockHelper combo, I see.
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
All you have to do is to search

"watch Justice League movie online free" or "watch Thor : Ragnarok 2017 movie online free" without quotes

and you can find the movie sites. They are all about the same sites hosting free online movies

Make sure you turn off all the other adblockers

Searching for 'watch Justice League movie online free' , I've found first google result: 123moviesfree.ac...
Clicked on this link (without adblocker, but with Policy Control enabled, with 'Object plugin-handled content' on Block third-party) - I've just had new window with this modal full-page blue proposition to make update of my Firefox Nightly, hahaha, very nice window...
- nothing clicked on the page, but I closed and reopened my Windows session to have my desktop.

Then changed (in Policy Control) the 'Object plugin-handled content' on Block all - so on 123moviesfree.ac... I have no more this modal new window. Easy, with Policy Control extension.:)
 
  • Like
Reactions: given

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
...instead of log-off, then log-on my account, I could press Alt+F4 to close my browser and this new moda windowl - this keyboard shotcut command closes down the active window, I'm not sure in the case of modal window...
- In another case, if you would close current tab only, hold Ctrl and press W.
But if you have endless loading tab (with eg. confirm alert), these keyboard commands works no more...

____________________________

For Chrome and chromium forks, very effective is Page Blocker : Page Blocker - offered by Chermaine Cheang.
- when this extension is turned on, it will block the opening of new tabs or new windows, especially those that are not intended by the user, and those that led to unwanted pages, redirects... opening of new tabs or new windows - so you don't have redirects of this kind, with pop-up ads, viruses or ransomware.
- but it don't block bad things happening on this same page...
- Look too on this thread: Add-on - Page Blocker - New Tab Blocker
- So if you want to surf on bad links, first put ON your Page Blocker.
 
Last edited:
  • Like
Reactions: given

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
ScriptSafe blocks malicious redirections!

ScriptSafe (for Chrome) updated to v1.0.9.3 (Tuesday, December 12, 2017) - automatically after start of your browser.

In this release you will find the following updates:
    • v1.0.9.3:
      • Added ability to temporarily disable ScriptSafe for a set time via the panel (useful if buying something online)
      • Added ability to selectively allow Browser Plugins Enumeration
      • Added ability to randomize user agents: on every request or every x minutes
      • Minor panel tweaks
      • Minor user agent fix
      • Updated unwanted content providers list
I have put together some documentation for ScriptSafe, including "Getting Started" instructions.

If you run into any issues, please create an issue in Github.

I am quite active on Twitter, so if you don't mind the occasional cat tweet, you are free to follow me: @andryou.

Thank you,
-Andrew
 
Last edited:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Infinite source of REDIRECT pages here: (read too: ADWARE pages here):
(All this happened in Nightly v2017.12.21 (32-bits) = Firefox 55.0. with add-ons: Policy Control, Redirect Control ...)


ad.directrev.com/RealMedia/ads/adstream_sx.ads/...

(MT removal instructions: Remove Ad.directrev.com pop-up ads (Chrome, Firefox, IE and Edge) )
redirect to:
go.ad2up.com/afu.php?id= ... Remove Go.ad2up.com/afu.php from Chrome, FF, IE, Edge Homepage (Video Tutorial): youtube.com/watch?v=S7cQbjUNdBs
then to:
go.padsdel.com/afu.php?id= - URLquery.net - Report: urlquery.net - Report - Fortinet's Web Filter comment: Malware
then to
craftflightup.com
hamburgheddle-eye.com/?k=
hamburgheddle-eye.com/snn/ - linking to feeds.reuters.com Reuters news headlines - from reuters.com redirections: here: hxxp://hamburgheddle-eye.com/snn/

urlscan.io/result: hamburgheddle-eye.com - urlscan.io says:
IP: 34.196.13.28 Geo IP: US Ashburn, US
AS Autonomous System: 14618 (AMAZON-AES - Amazon.com, Inc, US)
PTR: ec2-34-196-13-28.compute-1.amazonaws.com
- look too on Indicators of compromise (IoCs) ...
ipinfo.io/34.196.13.28: 34.196.13.28 IP Address Details - ipinfo.io - here you have all these adware urls ("There are 10,077 domain names hosted on this IP address. You can see 25 below.").
...and virustotal on this IP: VirusTotal
then
done.witchcraftcash.com ... - MT remove: How to remove Done.witchcraftcash.com Adware (Virus Help Guide)
redirect to
...
then to
glawheejoushpush.com ... uh loading... MT remove: How to remove Glawheejoushpush.com redirect (Virus Help Guide)
pushedwebnews.com/?b=1&ba=1&... THIS MT link:: How to remove Pushedwebnews.com Adware (Virus Removal Guide)
then
go.ad1data.com/afu.php?id= ... urlscan.io/result: go.ad1data.com - urlscan.io - 55 requests, 23 ad-blocked...
globaladmedia.net:3000/traffic?pcode= ...
xml.pdn-5.com/click?i= ... MT remove: How to remove Xml.pdn-5.com Adware (Virus Removal Guide)
l.effective-scanner-1240.com/ ---> never go! Google : No results found for ...
then
w4azg.voluumtrk.com/ ... and MT says: How to remove Voluumtrk.com redirect (Virus Removal Guide)
ox-ui.mediadesk132.com/link/ ... and MT solution: How to remove Ox-ui.mediadesk132.com redirect (Virus Removal Guide)
clk.braintag.com/?bt=ox-ui.mediadesk132.com/ ...
action.metaffiliation.com/trk.php?mclic= ... MT topic: How to remove Action.metaffiliation.com redirect (Removal Guide)
then to
zaful.com/promotion-trendy-accessories-special-626.html?utnn_source=netaffiliation&utm_campain= ... - there are Trendy Accessories for Women
then to
pushedwebnews.com/?b=1&ba=1&dm=0&ep=1& ...
...then it would confirm you're not a robot (don't allow to receive notifications!): Confirm you're not a bot: hxxps://pushedwebnews.com/?b=1&ba=1&dm=0&ep=1&i18db=1&l=... &pshr=1&s=12222&z=11111&cd_meta_crid=3988&tr=default - with address: pushedwebnews.com ... and Confirm case address go.ad1data.com/afu.php?id= base#64 (don't click!)... if you cut this pushedwebnews.com url slightly and hit Enter, you have other redirections ...
- If you could hit Back button of the pages, you have another new redirect pages ... infinite source of redirect pages here!
then
download.weatherblink.com/index.jhtml?partner=XN ... - attention, this is WeatherBlink toolbar, keep cookies disabled before ... - so I have
Error page: Error - haha ...
"Oops! It seems there was an error downloading WeatherBlink
We've detected that you have cookies disabled. Please enable cookies in your browser in order to download the WeatherBlink toolbar."
- look on WeatherBlink Chrome extension (!!!) comments: WeatherBlink - 792,705 users, Version: 13.321.12.16601 Updated: November 10, 2017 - Thank you Google!.. (yes I'm sarcastic)
urlscan.io/result: download.weatherblink.com - urlscan.io
"This website contacted 22 IPs in 6 countries across 26 domains to perform 44 HTTP transactions. Of those, 30 were HTTPS (68 %) and 32% were IPv6.
The main IP is 74.113.235.138, located in Dublin, Ireland and belongs to ASN-IWON - Mindspark Interactive Network, Inc., US. The main domain is download.weatherblink.com."

Quote two comments here:
"This extension will:
> Change your default search engine to their search engine. So you think you're searching Google but instead get results from MyWay
> Change your browser's home page
> Add a new toolbar to your browser"
"EVIL!
HACKED CHROME!
Remove:
Right-click on app icon > click remove > click remove > NEVER COME BACK AGAIN!!!"

From mindspark.com/EULA:
"... By downloading a MS Product, you will be installing a software application, browser extension and/or changing browser settings (e.g., to set a “new tab” or “home page” in your browser) within one or more of your Internet browsers and/or onto your computer (depending on the product). The MS Product will allow you to search the Internet, and may provide you with additional features as further described in this EULA. During the download of a MS Product you may also be offered the opportunity to set your browser homepage, start page, new tab page and/or default search setting(s) to our search service. If you do not wish to reset your setting(s), you can choose not to install the MS Product (for example “new tab” or “home page” products); for certain other applications (e.g., “toolbar” applications that include settings changes such as default search) you may be able to install the application but decline or opt-out of one or more setting(s) changes (e.g., by checking or unchecking the appropriate checkbox during the download process). Certain search features, as well as other non-search-related features may be customized by you. Use of such features and settings, including our new tab and home pages, is additionally subject to our Terms of Service and Privacy Policy, which are hereby incorporated into this EULA by reference...."

__________________________

- My question is WHY google permits happen this all... redirections, malicious extensions, ...
money money money
everyone sees this and doesn't trust Google anymore - so GOOGLE wake up!
 
Last edited:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Sorry for my English and lack of general explication!

In my post above, I show the sequences of redirects...(on Nightly =Firefox 55.0) - if I clicked on eg.: ad. directrev. com/RealMedia link:
hxxp://ad.directrev.com/RealMedia/a...&je=true&ce=true&ce=true&sr=1536x864&kw=&ref=
- I've had several successive redirections: to go.ad2up.com/afu. php? id=..., then to go.padsdel. com/afu. php? id=..., then to craftflightup.com (it's full url) etc etc etc.
This is my add-on Redirect Control, which allows me to stop on each redirection, for allow or deny this redirection... (Firefox bar asks me: Allow Redirect?... I have the choice Yes, No) - this allows me to note the url, then click Allow to go on the next redirection....
Meanwhile, my Policy Control defends me, with my policy rules (some in Block all, some in block third party...) - if you want, I can copy for you my rules in this Policy Control, which defends me.

If I click on craftflightup.com (I see tab site title: "One moment..." - so beware!) this leads me to - attention! : hxxp://hamburgheddle-eye.com?k=52bc7601cf12746b...- payload surely! Sucuri SiteCheck result: Sucuri Security says: malware.hidden_iframe?2.2 :
Known javascript malware. Details: hxxp://labs.sucuri.net/db/malware/malware.hidden_iframe?2.2... ...in hxxp://hamburgheddle-eye.com?k= - about 55 results... Google interesting results if I search for this address today (change xx to pp) - many digital-evils addresses!.
- but I click Yes, and cause Redirect Control works instantly, next redirect lead to SNN - Your Opinion Matters safe (I think...) landing page (cause having Policy Control...) - that's all today here... maybe with Policy Control disabled this link could have landed on some bad virus..:) sure, sure javascript malware!

So my post (above, and this one) sails the overriding utility of Redirect Control add-on, and strength of defense by Policy Control.

Maybe my post is not interesting for all of you, but this was fun to me. Worked without any sandbox, any VMware... safely with Policy Control and Redirect Control. So with these two add-ons/extensions I'm safe (for redirections...) on Nightly basilisk.exe = Firefox.

PS.
mindspark.com is owner of weatherblink.com page, and weatherblink products (toolbar, Chrome extension...).

One moment... so beware!

And this will be
The one moment that matters
And this will be
The one thing we remember
And this will be
The reason to have been here
...


One moment... what you just saw was real.;)
 
Last edited:
  • Like
Reactions: given

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
On Firefox, Nightly...

Another Infinite source of REDIRECT pages here: (ADWARE/MALWARE): hxxps://watchfree.ws/watchfree.to?rel=logo

You have the new window plain page redirections, if you click on page links (buttons) at the top of this page (eg. WATCHFREE, HOME, HOT MOVIES, LATEST MOVIES etc.).

Too new window plain page redirections, if you click HOME button on:
hxxp://123moviesfree.ac/home.html
hxxp://0123movies.org/home.html

If you search on Google for "123movies" - you have many websites with redirects, like these above!
 
Last edited:
  • Like
Reactions: given

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
I have a question on ContentBlockHelper

Examples.

When I visited Gizmodo.com, uBlock Origin shows amazon-adsystem.com is blocked and ContentBlockHelper also shows the same which means they concur.

However, chartbeat.com, googletagservices.com etc are blocked by uBlock Origin (by default) but NOT block by ContentBlockHelper. So which is correct?

Even in MT forums, google-analytics.com is blocked by uBlock Origin but NOT block by ContentBlockHelper........:rolleyes:

Thanks

Most likely it's the difference in filter lists. uBlock Origin enables EasyPrivacy, Peter Lowe's and its own filters by default.
 
  • Like
Reactions: given

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
One more add-on to you (and me): Redirect Bypasser by Moises Lima

Firefox add-on: Redirect Bypasser – Add-ons for Firefox
moisesplima.blogspot.fr: Moises Lima: Redirect Bypasser

Version 2.1.3 Jun. 03, 2016
Demo: Demo
Download: Opera Browser - Firefox

Description:


Useful to avoid frame pages (e.g., Google images, Yahoo, Bing...) , ads, surveys, unwanted redirects...


Features:

* Extract links recursively (every URL found are added to a pop-up overlay while hovering the link to let the user choose the best option in a fast way).

* Decode obfuscated links as "reverse", base64 and hex. (tricks used by some sites to prevent direct access to the original web address).

* Extract web addresses within tag's attributes (e.g. onclick, onmouseover...), text contents and JavaScript: protocol (mostly used to open pop-ups or to show overlays).

* Extract web addresses from plug-ins (useful to open flash games, videos... in a new tab or to get URL of videos, musics...).

* Can handle dynamic content (links that move or hide...) very well.

* The icons are sorted by file extension and auto-set colors based on algorithm used, for the user identify them quickly. As an example, while browsing any site (e.g. Google images) the blue icon was the desired target, another link that show blue icon is likely to be the desired one too.

- You have the little squares choice between Image Variables ( purple icon imgurl = image location, blue icon imgrefurl = link of webpage image was found) for all Google images search results.

View demo

Picture link: Options/General: https://addons.cdn.mozilla.net/user-media/previews/full/168/168528.png?modified=1448118247
 
Last edited:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
To block JavaScripts (On-Off switch):
You have QuickJS - link in Post #4.

Found too: No-Javascript Addon - by China-Cheats: No-Javascript Addon – Add-ons for Firefox
It's in English (not chinese) hopefully.
Turn Javascript ON/OFF faster than ever. The Extension comes with a cool Interface, incl. Popup & Sound Notifications when Enabling/Disabling Javascript. New option: auto-refresh the web page.
Screenshot: https://addons.cdn.mozilla.net/user-media/previews/full/169/169709.png?modified=1501420190
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
When you have an adblocker which allows own filters (e.g. Adguard or uBlock)rigin), you can add

||*^$script,subdocument,third-party,domain=~nl|~com|~org|~inf|

This sort of blocks redirects for all high level domains except NL, COM, ORG or INF

Check what your blocker supports, I just block all underwater links from high level domains I don't visit normally
for Adguard
||*^$script,object,object-subrequest,subdocument,xmlhttprequest,other,third-party,domain=~ABC|~DEF|~GHI|

for uBlock0rigin
||*^$script,object,object-subrequest,subdocument,xmlhttprequest,websocket,other,third-party,domain=~ABC|~DEF|~GHI|

ABC, DEF and GHI are the high level domains you want to allow (add more with |~JKL|~MNO|~PGR|~etc| )
 

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
When you have an adblocker which allows own filters (e.g. Adguard or uBlock)rigin), you can add

||*^$script,subdocument,third-party,domain=~nl|~com|~org|~inf|

This sort of blocks redirects for all high level domains except NL, COM, ORG or INF

Check what your blocker supports, I just block all underwater links from high level domains I don't visit normally
for Adguard
||*^$script,object,object-subrequest,subdocument,xmlhttprequest,other,third-party,domain=~ABC|~DEF|~GHI|

for uBlock0rigin
||*^$script,object,object-subrequest,subdocument,xmlhttprequest,websocket,other,third-party,domain=~ABC|~DEF|~GHI|

ABC, DEF and GHI are the high level domains you want to allow (add more with |~JKL|~MNO|~PGR|~etc| )

Thank you very much Windows_Security Kees! And Happy New year to you and your family!

... but I don't have an ad blocker, sorry..

My Policy Control extension/add-on (on Nightly browser) works like an ad blocker too, with options:
Script on Block third-party,
Sub document (iframes and frames) on Block all, and
XMLHttpRequest on Block third-party...
- works good, I've too Behind the Overlay and Gif Block on Nightly, and on Firefox Gif blocker and Behind the Overlay Revival, plus Policy Control of course...
On chromium forks have ScriptSafe, Script Blocker for Chrome or Policy Control, and ZenMate Web Firewall, Auto Overlay Remover... no pure ad blockers - yes Content-aware Ad Blocker!
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Thx same to you (y)

Policy control is a nice extension which allows in depth control (really simple to use with allow, block third-party and block all). The rules examples I posted are less restrictie (and can be overrules with Ublock0's menu) because it allows all for the excluded high level domains (NL, COM, NET, ORG and INF in the examples below).

# Block plug-ins for all third-party (don't use PDF, Flash or Java plug-in anymore)
*^$object,object-subrequest,third-party

# Block behind-the-scene communication not from high leveldomains NL, COM, NET, ORG and INF
*^$xmlhttprequest,ping,websocket,domain=~nl|~com|~net|~org|~inf

# Block third-party plug-ins, scripts and (i)frames not from high leveldomains NL, COM, NET, ORG and INF
*^$script,subdocument,third-party,domain=~nl|~com|~net|~org|~inf

It is good to provide some monitoring on site redirects cross site connections, so I just wanted to outline this option also in this informative thread.

NOTE: you can check whether this rules wor
 
Last edited:

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Thx same to you (y)

Policy control is a nice extension which allows in depth control (really simple to use with allow, block third-party and block all). The rules examples I posted are less restrictie (and can be overrules with Ublock0's menu) because it allows all for the excluded high level domains (NL, COM, ORG and INF in the example below). Using two lines it is possible to block for first and third-party (first rule) or third-party only (second rule)

# block plug-in (pfd,flash) subrequest except for high level domains NL, COM, ORG and INF
||*^$object-subrequest,domain=~NL|~COM|~ORG|~INF|

# block automated third-party connections except for high hlevel domains NL, COM, ORG and INF
||*^$script,object,subdocument,xmlhttprequest,websocket,other,third-party,domain=~ABC|~DEF|~GHI|

It is good to provide some monitoring on site redirects cross site connections, so I just wanted to outline this option also in this informative thread.

- I see your good intentions, which will be appreciated above all by those who will benefit from this advice!
Thank you!
OK hand sign.png


If it is about redirects, there is surely a huge multitude, I have only given examples that are the top of iceberg, all the iceberg is to flush out, especially by Google!
It's easy to find these 'One moment...", and Google must know them... maybe it's getting the financial benefits of their presence?
 
Last edited:
  • Like
Reactions: given
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top