RiversideRocks
Posted on December 9, 2020
Recently I was taking a look at my access logs for my website. Nothing too unusual, just the regular hacking attempts. I was reading them then I noticed this request.
185.220.100.243 - - [09/Dec/2020:07:17:37 -0500] "GET / HTTP/1.1" 200 2212 "https://freevpn.space/web-proxy/riverside.rocks" "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0"
First of all, a few things to note about this request, the first being that it is almost definitely a bot. Firefox 68 is old and nobody uses it anymore. Second, after a lookup of the IP on AbuseIPDB, it is from the Tor network:
My first thought was, oh crap, my website is on some proxy list, this is bad. But after some more digging, it looks like this is a scam. I decided to follow the link in the referrer with cURL to get an idea of where it went.
It forwards the user to very shady looking website with what looks like an affiliate tag in the HTTP referrer.
This website then forwards you to ExpressVPN.com with the affiliate code. My best guess is that these scammers are exploiting ExpressVPN's affiliate program to make some easy cash by scarring webmasters. Stay safe folks!
Posted on December 9, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.