Help decloaking the cloaked affiliate links.

Paul Wright · 27-09-06

My turn for help

Can somebody please explain to me what’s going on here. It’s some kind of cloaking.

If you build a webpage using the following code:

HTML Code:

<html>
<head>
<title>Buy Cosmetics</title>
<script>window.status = ' ';</script>
<script>document.write(unescape("%3c%66%72%61%6d%65%73%65%74%20%62%6f%72%64%65%72%3d%30%20%66%72%61%6d%65%73%70%61%63%69%6e%67%3d%30%20%66%72%61%6d%65%62%6f%72%64%65%72%3d%30%20%72%6f%77%73%3d%2a%3e%3c%66%72%61%6d%65%20%6d%61%72%67%69%6e%77%69%64%74%68%3d%30%20%6d%61%72%67%69%6e%68%65%69%67%68%74%3d%30%20%73%72%63%3d%68%74%74%70%3a%2f%2f%77%77%77%2e%62%75%79%63%6f%73%6d%65%74%69%63%73%2e%61%74%2f%62%6c%75%65%62%61%72%72%61%63%75%64%61%3e%3c%2f%66%72%61%6d%65%73%65%74%3e%3c%6e%6f%66%72%61%6d%65%73%3e"))</script>
<script>document.write(unescape("%3c%2f%6e%6f%66%72%61%6d%65%73%3e"))</script>
</head>
</html>

Open it up in your browser you’ll see that this is cloaking a redirect through an affiliate link that goes to the buycosmetics.com site.

What weird is that if you then view source you don’t see the buycosmetics.com code but some scrambled text.

I’m guessing that I’m missing something completely obvious here but what is it?

Cheers
Paul.

Fraser · 27-09-06

It looks like it's loading up the affiliate link in an iframe but in a disguised way. You can use

http://www.albionresearch.com/misc/urlencode.php

to decode all the coded bit.

Gavinio · 27-09-06

It's just URL encoded isn't it?

Code:

<frameset border=0 framespacing=0 frameborder=0 rows=*><frame marginwidth=0 marginheight=0 src=http://www.buycosmetics.at/bluebarracuda></frameset><noframes>

PS I'm no techie so slap me if I'm stating the obvious.

Frostie · 27-09-06

Yeah

This translates to loading BuyCosmetics in an iFrame. The culprit in this case is;
http://www.buycosmetics.at/bluebarracuda

Any idea who BlueBarracuda is?

renegade · 27-09-06

That looks like UUEncoded text in a javascript wrapper, I use a utility to encode email addresses on websites to help reduce spam.

Paul Wright · 28-09-06

Haha, congratulations, you've all passed the test.

The actual affiliate link used was a dummy account I use to test our affiliate programs and it was me who scrambled it using an online tool I found yesterday.

What I was trying to find out was what the heck was going on.. or how the tool worked... and as fraser kindly pointed out... how to unscramble it.

It's all going in my little black book under "things that people do to hide thier links".

Mucho gracias

Paul.

Dynamoo · 28-09-06

SamSpade for Windows is a great tool for investigating links. Although it wouldn't help with the Javascript issue, it's a useful tool for following them step-by-step.

A neat way of deobfuscating JS can be found in Follow the Bouncing Malware IX (scroll down to Doctor! No!). Basically, you wrap the whole thing up like this:

Quote:

In the above code, this can be accomplished by putting the following before the call to document.writeln(o):

document.write("<textarea cols=100 rows=100>");

and the following immediately after:

document.write("</textarea>");

Uh it's the kind of think I sometimes end up doing in my real life work.