I'm observing some dodgy behaviour on the opensubtitles.org site. I have written to their forums but did not get the answer.
The issue I'm dealing with is opening of third party sites. All of them are scam.They appear when clicking on the top link bar (i.e. Request, Upload....). There's also word, some users got duped and got stolen money when entering credit card details, since the sites were posing as a user verification service when registering an opensubtitles.org account. Obviously the sites were informing them this is a free opensubtitles subscription user verification and their credit card will never be charged.
I would like to get to the bottom of this. What is the mechanic behind this kind of redirections. Are they merely a byproduct of advertising companies they are using? If this kind of activity is happening with their knowledge I think it's a very dirty practice for a community based site or every site for that matter.
So some analysis so far.
I have tried on different machines (windows 7, windows 10) and different browsers (Edge, Chrome). I even set up a clean windows 10 machine and even Chrome on Android. The result is the same, so I presume it's not a client side infection.
The redirection happens the first time you click the link. Subsequent attempts result in getting to a correct opensubtitles site.
When a link is clicked, I first got redirected through an intermediate site - paclitor.com
Then an automatic redirect takes me to various malicious sites.
And these are screenshots from android
The sites mentioned are usualy linked to companies stationed in Cyprus.
These are the links to various sites describing some of the domains I get redirected to:
So, what is your opinion? What can be done to alleviate this problem. Can a user do anything to avoid getting these redirections or are we at mercy of the site admins? I do have adblock+ installed but it seems it does not help in this case.
If anyone is interested, you can try it yourself. I can also provide pcap's or other debug info if needed.
Edited by jokeman, 26 May 2017 - 05:11 AM.