Question Weird site in f-secure blocked sites logs

Moonhorse · Aug 29, 2024

So my mother was visiting me yesterday and used my new desktop for signing in into https://medinet.pohjoiskarjala.net/ and she told that it redirected her into MS.Codes - Genuine Software Product keys wich f-secure marked up as malicious webshop. Virustotal doesnt give any sign of fraud on this site. For me this doesnt make sense, why would it redirect to site like that?

So im guessing was i infected with somekind of pup that forced to open the mscodes site?

Secondly im asking that i bought cheapish license from finnish seller for windows 11 pro, it was oem license and is activated to my motherboard now, can such poor license affect pop up ( i guess no )

Anyways i scanned computer with f-secure full scan, NPE, KVRT & adwcleaner and nothing was found. Also i did reset my router and made stronger password, and checked connected devices etc etc.

It is hard to say where this pop up came from since i was not seeing it myself, is the site mscodes legit at all? Anyways im running clean install of windows from fresh usb stick and everything seems to be okay for now

Bot · Aug 29, 2024

It's possible that the redirection was caused by an ad or a pop-up on the original site your mother was trying to access, not necessarily a PUP on your computer. Your OEM license for Windows 11 Pro shouldn't affect this.

As for the legitimacy of MS.Codes, it's hard to say without more information. If F-Secure flagged it, there might be some risk involved. Always be cautious with sites selling software keys at significantly reduced prices.

Glad to hear you've taken steps to secure your system and everything seems okay now. It's always good to stay vigilant.

Moonhorse · Aug 29, 2024

Bot said:
It's possible that the redirection was caused by an ad or a pop-up on the original site your mother was trying to access, not necessarily a PUP on your computer. Your OEM license for Windows 11 Pro shouldn't affect this.

As for the legitimacy of MS.Codes, it's hard to say without more information. If F-Secure flagged it, there might be some risk involved. Always be cautious with sites selling software keys at significantly reduced prices.

Glad to hear you've taken steps to secure your system and everything seems okay now. It's always good to stay vigilant.

thats a good answer. I used adguard so there should be no ads, but im not sure if the site asked for microsoft365 login aswell, and instead of microsoft url it redirected her throught ms.codes wich has nothing to do with this situation..

Bot · Aug 29, 2024

Moonhorse said:
thats a good answer. I used adguard so there should be no ads, but im not sure if the site asked for microsoft365 login aswell, and instead of microsoft url it redirected her throught ms.codes wich has nothing to do with this situation..

It's unusual, but it could be a case of a malicious script or a compromised website. It's good that you're using Adguard, but no tool can guarantee 100% protection. It's always best to manually verify URLs before entering sensitive information. Continue monitoring your system for any suspicious activity.

Moonhorse · Aug 29, 2024

Bot said:
It's unusual, but it could be a case of a malicious script or a compromised website. It's good that you're using Adguard, but no tool can guarantee 100% protection. It's always best to manually verify URLs before entering sensitive information. Continue monitoring your system for any suspicious activity.

I submitted site to f-secure and aswell to trend micro, i also contacted the site owner about this. I cant think any other reason why there was visit on ms.codes other than this site wich may be related to the problem... thank you bot

Bot · Aug 29, 2024

Moonhorse said:
I submitted site to f-secure and aswell to trend micro, i also contacted the site owner about this. I cant think any other reason why there was visit on ms.codes other than this site wich may be related to the problem... thank you bot

You've taken the right steps by reporting the issue and contacting the site owner. It's important to stay vigilant and proactive when it comes to potential cybersecurity threats. Keep monitoring your system and stay safe online!

roger_m · Aug 29, 2024

I scanned the URL at VirusTotal and it came up as clean. It's not malicious, it's just one of the many sites illegally selling cheap volume license keys for Microsoft products.

Moonhorse · Aug 29, 2024

roger_m said:
I scanned the URL at VirusTotal and it came up as clean. It's not malicious, it's just one of the many sites illegally selling cheap volume license keys for Microsoft products.

Yeah thats what im thinking aswell, so theres nothing to worry about. I was just wondering where it came from and how i visited the page since only my mother was using desktop yesterday, and the site she visited was about personal medical info, so if that site would be breached it would be huge databreach or something.

Only thing that came into my mind was pup, but since adwcleaner, npe, kvrt, f-secure found nothing i have no clue where the site came from.

I reverted back to trend micro now, is there any tool to see my site visiting history except browsing history?

Jonny Quest · Aug 29, 2024

FWIW I just checked on my end with F-Secure IS, and didn't have any redirect or issue with the 1st link. The 2nd was also fine. So maybe it was flagged due to the unrelated redirect to MS.Codes?

Moonhorse · Aug 29, 2024

Jonny Quest said:
FWIW I just checked on my end with F-Secure IS, and didn't have any redirect or issue with the 1st link. The 2nd was also fine. So maybe it was flagged due to the unrelated redirect to MS.Codes?

They probably fixed the second link as i submitted it yesterday(?) its legit site i guess according to reviews i found from google.

Its just weird the mscodes came from nowhere for f-secure to block, or it was promote of some software i had on computer and f-secure blocked it outside of browser, but i have only have asus armour crate so i doubt they wont support sites like that.

anyways i asked my mother to sign in into first link and it worked correctly, without issues this was probably some issues with f-secure banking protection, but still doesnt tell where the mscodes came from

bazang · Aug 29, 2024

Moonhorse said:
So im guessing was i infected with somekind of pup that forced to open the mscodes site?

No.

The https:// medinet . pohjoiskarjala . net/ website performed the redirect when the site code was loaded into the browser. Somebody modified the website javascript to perform the redirect. That is the method most commonly used to perform redirects. I would think most MT members would know this, but obviously not.

Moonhorse · Aug 30, 2024

bazang said:
No.

The https:// medinet . pohjoiskarjala . net/ website performed the redirect when the site code was loaded into the browser. Somebody modified the website javascript to perform the redirect. That is the method most commonly used to perform redirects. I would think most MT members would know this, but obviously not.

Thanks for clarification, i understand the problem now. Well i have been member for a long time here at MalwareTips but im myself just a noob when it comes into pcs/it tech. Well im trying to help people with my skill level and be active member, but that doesnt mean i would understand every stuff thats ''basic'' info for someone, appreciate the comment though

bazang · Aug 30, 2024

Moonhorse said:
Thanks for clarification, i understand the problem now. Well i have been member for a long time here at MalwareTips but im myself just a noob when it comes into pcs/it tech. Well im trying to help people with my skill level and be active member, but that doesnt mean i would understand every stuff thats ''basic'' info for someone, appreciate the comment though

A good place to start is to study the "OWASP Top 10." What you find there then you search the OWASP website and find more infos that explains what the various attack details are.

OWASP Top Ten | OWASP Foundation

The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.

owasp.org

Search | OWASP Foundation

Search on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.

owasp.org

These infos will protect your far more than any security solution.

I will stop there because I know the probability that anybody will do the research is virtually 100% "Nope."

LoLs · Sep 3, 2024

Moonhorse said:
visiting history

You can use NEXTDNS NextDNS for tracking.
1st Setup nextdns at browser with DOH and give it id eg. chromeB250
2nd Set at Network too (Network & Internet - Ethernet) and set another id eg. ASUSB250

The tracking log look like this.

And with nextdns there is blocklist/denylist/allowlist feature

btw kaspersky or avast might work better then fsecure

struppigel · Sep 8, 2024

Locked threat because it is off topic

Search

Question Weird site in f-secure blocked sites logs

Moonhorse

Level 38

Bot

AI-powered Bot

Moonhorse

Level 38

Bot

AI-powered Bot

Moonhorse

Level 38

Bot

AI-powered Bot

roger_m

Level 42

Moonhorse

Level 38

Jonny Quest

Level 21

Moonhorse

Level 38

bazang

Level 6

Moonhorse

Level 38

bazang

Level 6

OWASP Top Ten | OWASP Foundation

Search | OWASP Foundation

LoLs

Level 3

struppigel

Super Moderator

Similar threads