I'm a big-time 'less is more' advocate. Please do not mess with my inputs unless you are making a video game, and even then...
To any designers out there, really ask yourself if you can engineer better scrolling than what is built into our devices already. Maybe 10 years ago you could have and it would be easy, but web browsers on every platform are pretty good right now in terms of handling our inputs.
I would love an HN "AMA" from someone who built one of these monstrosities, to understand how their company processes work/fail, resulting in a work product like this. Doesn't anyone at any point through design/development/deployment speak up and say "Uhh... am I the only one who can see how awful this is?"
I reverse engineered a sketchy link I got in an SMS. I opened up Tor, then went to a URL
'de-shortener' service. Furthermore, I saw an interstitial page with a JavaScript payload in it, and it was all obfuscated and obviously coded to hide what it was doing.
I could have gone further and unpacked the code, beautifying it to see what 0 day it was leveraging, but I didn't proceed further. Obviously, this was designed to take over my device. Luckily, my default browser is Firefox with JavaScript turned off, so it wouldn't have been able to execute if I did click on the link.
As someone who is responsible for abuse reports, one of the things I like about services such as hybrid-analysis, joe's sandbox, urlscan.io etc is that I can get some info about a link without having to worry about my local computer or maintain a sandbox.
Also, a lot of sketch URLs belong to 'booters' and exist only to collect the IP address of whatever connects to them so someone can ddos it later.
So in my case I don't want my IP exposed, so I used the Tor Browser Bundle and used something similar to URLEX which expands short links typically found in SMS links. More often than not, the links are benign and trying to phish you, but now and then you find a malicious payload.
IMO much more likely they're mining, phishing, or advertising than sending out 0-days to random phone numbers. Unless you're a far more influential bloke than you're letting on.
29 comments
[ 2.5 ms ] story [ 69.0 ms ] threadTo any designers out there, really ask yourself if you can engineer better scrolling than what is built into our devices already. Maybe 10 years ago you could have and it would be easy, but web browsers on every platform are pretty good right now in terms of handling our inputs.
Edit: all the way at the bottom there's a link to the full report: https://citizenlab.ca/2022/04/catalangate-extensive-mercenar...
I could have gone further and unpacked the code, beautifying it to see what 0 day it was leveraging, but I didn't proceed further. Obviously, this was designed to take over my device. Luckily, my default browser is Firefox with JavaScript turned off, so it wouldn't have been able to execute if I did click on the link.
To get the last URL in a redirect chain with `curl`:
As someone who is responsible for abuse reports, one of the things I like about services such as hybrid-analysis, joe's sandbox, urlscan.io etc is that I can get some info about a link without having to worry about my local computer or maintain a sandbox.
Also, a lot of sketch URLs belong to 'booters' and exist only to collect the IP address of whatever connects to them so someone can ddos it later.
[0] https://urlex.org/
https://citizenlab.ca/2022/04/catalangate-extensive-mercenar...