False Positive | go.skimlinks.com

[obyg11770]

What are the subjects of the false-positive (domains, URLs, or IPs)?

https://go.skimresources.com/
go.skimresources.com

Why do you believe this is a false-positive?

I believe this is a false-positive because this is a legitimate advertising network that is used by thousands of websites to drive
$6m+ in sales daily across 48,500 merchants worldwide

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

I discovered this false-positive by...

Have you requested a review from other sources?

I have requested a review from...
virus total but they sent me to you

Do you have a screenshot?

Screenshot

 

Additional Information or Context

this is the second time i have reached out to you with no response.

[spirillen]

@funilrys @mitchellkrogza I'm missing the power to edit OP msg. In this case I would like to add the ``` to the urls + fixing the image line

@obyg11770

I can see there are lots of spookier destination links in the list, and as my VM are not turned on, I'm not the one checking any of these out.

Leaving for other to test and judge

wget -qO- "https://phish.co.za/latest/ALL-phishing-links.lst" | grep -i '\.skimresources\.com'
http://hsn.app.link/3p?$3p=e_et&$original_url=https://go.skimresources.com/?id=129857X1600501&url=https://p.dtns.me/t/61f00be30628bf732c052b1c?r=https://secure.adnxs.com/seg?redir=http://amorlowzba36.haztedigital.cl/ct/new/css/[email protected]
https://go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t
https://go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t&xguid=01FF0J812A714ZCD82XKBYR97N&persistence=1&checksum=ee353b273cd133198aec87cc3ba4f45c985039243cec1770acdac2d39b8a3a7a
https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fmeadow-tiny-month.glitch.me/56bh7c4e.html
https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fnewworldenclosures.com/wp-includes/js/Wellsv2
https://go.skimresources.com/?id=129857X1600601&url=https://bafkreig2ox6scs3dco5umljsr6seap2bj7jcwsw7zxavxxvrczordwajfu.ipfs.dweb.link
https://go.skimresources.com/?id=209867X1689872&&url=https://s.free.fr/4TFQugKa
https://hsn.app.link/3p?$3p=e_et&$original_url=https://go.skimresources.com/?id=129857X1600501&url=https://p.dtns.me/t/61f00be30628bf732c052b1c?r=https://secure.adnxs.com/seg?redir=http://amorlowzba36.haztedigital.cl/ct/new/css/[email protected]
https://www.skimresources.com/?id=92X363&xcust=trdpro_us_1541938487208509200&xs=1&url=https://lovenestfamily.org/yiivkfxc/webmail-RD127/index.html

[g0d33p3rsec]

https://go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t

oddly, redirects to a safe browsing lookup
https://app.any.run/tasks/ded1b21a-f0d1-4a3b-9163-400d2faf4717

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fnewworldenclosures.com/wp-includes/js/Wellsv2

another safe browsing lookup
https://app.any.run/tasks/23425e7c-ffae-4881-8c7e-194483773695

https://go.skimresources.com/?id=209867X1689872&&url=https://s.free.fr/4TFQugKa

safe browsing lookup
https://app.any.run/tasks/b3da24c1-655b-43a8-a605-3c0822f1b084

https://hsn.app.link/3p?$3p=e_et&$original_url=https://go.skimresources.com/?id=129857X1600501&url=https://p.dtns.me/t/61f00be30628bf732c052b1c?r=https://secure.adnxs.com/seg?redir=http://amorlowzba36.haztedigital.cl/ct/new/css/?email=<REDACTED>

redirects to hsn.com
https://app.any.run/tasks/6e4e1244-67cf-4a12-887f-4055cb2fa790

the other URIs are returning 404s and 410s

[g0d33p3rsec]

I see multiple instances of your service redirecting to malicious content on the free host jimdosite.com, which then redirects to https://www.primechoicefinance.com.au/dykjj.php?.... The final target appears to have been removed as now it just returns a wordpress placeholder suggesting a site that had been previously compromised.

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fys-law-firm.jimdosite.com -> https://ys-law-firm.jimdosite.com/
https://urlscan.io/result/acd3f99a-e5f7-401a-a522-226c846e99c5/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fnanua-and-ioffe-lawyers.jimdosite.com -> https://nanua-and-ioffe-lawyers.jimdosite.com/
https://urlscan.io/result/703553f4-f084-4323-8c32-30dc71d8db45/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fark-fire-protection.jimdosite.com ->https://ark-fire-protection.jimdosite.com/
https://urlscan.io/result/2636ea2f-3c26-497b-8077-96f2310b3a82/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fkinver-business.jimdosite.com -> https://kinver-business.jimdosite.com/
https://urlscan.io/result/3c02ad65-ddd8-4f47-822c-281bb84e7c96/#summary

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fabaco-international-loss-adjusters.jimdosite.com -> https://abaco-international-loss-adjusters.jimdosite.com/
https://urlscan.io/result/b3072e8c-0b51-45df-935d-269494ac466b/

http://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fswiss-hospitality-and-partners.jimdosite.com -> https://swiss-hospitality-and-partners.jimdosite.com/
https://urlscan.io/result/d1cee180-6d66-4101-bc57-90ea09faa7ff/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fjbs-expedite-ltd.jimdosite.com -> https://jbs-expedite-ltd.jimdosite.com/
https://urlscan.io/result/619e43c0-c071-49ca-b7ec-b2d979fb9523/#summary

https://urlscan.io/result/f2ce8f71-5325-4098-9e88-20d7508b2b8a/

scan of https://www.primechoicefinance.com.au/dykjj.php?... from November 2, 2024
https://urlscan.io/result/2f4afe26-bd63-4598-9132-22fdb424ec7e/

[g0d33p3rsec]

I believe this is a false-positive because this is a legitimate advertising network that is used by thousands of websites to drive
$6m+ in sales daily across 48,500 merchants worldwide

true positives confirmed, the ad-tech pitch does nothing to mitigate the threats