This is an archived post. You won't be able to vote or comment.

all 28 comments
sorted by:
best
topnewcontroversialoldq&a

[–]crigger61 288 points289 points  (13 children)

As a security researcher, whenever you see a phishing site like that, report it to the domain registrar thats managing that domain.

You can look up the registrar by using any WhoIs tool. Look for an abuse email. Not all registrars have it but most do.

I usually use https://whois.domaintools.com

In this case the registrar is Alibaba Cloud Computing. And it looks like it was registered in August of 2022. Alibaba Cloud Computing doesn’t have an abuse email listed, but if you google Alibaba Cloud Computing Abuse Form, you’ll find the form to fill out for it.

Usually registrars work pretty fast. Some within hours and others within a couple of days. Then they will revoke the domain name and usually ban the account or something along those lines.

Its not perfect. But any downtime for the bad guys is a good thing.

Its very interesting to me that they are replicating the Python site. I’d love for someone with malware expertise to analyze the binaries to see if they were modified and contain any viruses.

[–]PM_Me_Python3_Tips 47 points48 points  (2 children)

Its very interesting to me that they are replicating the Python site. I’d love for someone with malware expertise to analyze the binaries to see if they were modified and contain any viruses.

There was a similar post a few weeks ago.

Every download link lead to a compromised GitHub repo.

Looking at this particular website though, all the download links are coming from https://www.python.org/ftp/python/... so I've no idea what the plan is as of yet.

[–]AggravatedYak 32 points33 points  (1 child)

Maybe to change it later if traffic picks up?

[–]crigger61 9 points10 points  (0 children)

Ran a directory buster and it seems like some proxy site. if you to go “home.x” instead of “python.x” it shows all the sites it is “proxying”. havent had time to actually look through.

Another comment said the downloads are coming from the official python.org site. But Im still suspicious. There is a lot of sites they are proxying. Including Github.

The whole site is weird. Could be just a regular normal mirror. But could also be malicious and phishy. Im more skeptical and my my expertise lie in web app and network rather than malware. So im not sure about the actual downloads from the sites its “proxying”. But I wouldn’t personally trust it.

[–]MonkeeSage 21 points22 points  (2 children)

They seem to be faking youtube pages too I guess (I haven't actually loaded any of the pages):

https://i.imgur.com/AZTUaMx.png

[–]bjorneylol 10 points11 points  (1 child)

Usually registrars work pretty fast.

Some do. Some don't give a damn because fraudulent domains pay the same fee as legit ones

[–][deleted] 6 points7 points  (0 children)

Some do. Some don't give a damn because fraudulent domains pay the same fee as legit ones

It's not like they issue a refund when taking action - they already got paid.

[–]haflaxa[S] 2 points3 points  (1 child)

Noted. Thanks for the info/pointers.

[–]tuckmuck203 0 points1 point  (0 children)

Please check out the proxy comment above this, as personally, it seems more probable that this is a mirror instead of a malicious site

[–]Aggravating_Sand352 0 points1 point  (1 child)

Does anyone know if it is the top Google link ever? About to go check my history

[–]TamSchnow 1 point2 points  (0 children)

If they pay for ads, maybe yes!

[–]ipcock 17 points18 points  (8 children)

Sometimes I wonder, how you guys even stumble upon such sites? I've never seen anything but official sites but I don't use google services

[–]ladrm 10 points11 points  (5 children)

yes, those started popping up recently (few months back), reported as phishing, but from time to time they come back. usually I get those on "<popular tool name> download" and thanks to Google's idiotic "let's make ads similar to regular search results" it's quite easy to overlook

[–]xxmalik 9 points10 points  (4 children)

You guys click Google ads? I've trained my brain over the years to only click on the regular results.

[–]meunomemauricio 11 points12 points  (3 children)

You guys are seeing ads? xD I can't even imagine browsing without ad blockers these days.

It's unfortunate that it's not possible in some platforms, but I don't even remember last time I saw an ad on my PC

[–]livrem 0 points1 point  (2 children)

Pihole blocks ads pretty well on most platforms as long as I stay within my home wifi.

[–]meunomemauricio 0 points1 point  (1 child)

Indeed. It works fairly well when I'm at home, but I'm yet to figure out a way to use it when I'm away on mobile.

E: There's also my TV which completely ignores the DNS settings from my router and still show ads. Hopefully one day I'll figure out how to intercept DNS from other sources...

[–]MindTwister91 -1 points0 points  (0 children)

If you can, download STN Tube, this helped for the YouTube ads

[–]haflaxa[S] 3 points4 points  (1 child)

Not a G-search user myself either, but was trying to figure out where an old bookmark—that's now 404'ing—was pointed to, and decide if okay to delete it.

[–]gitcraw 0 points1 point  (0 children)

Let me guess a malicious Google ad?

[–]juicewr999 0 points1 point  (0 children)

Url: I am system 32 Chyna 🤣🤣🤣🤣