False Positive | go.skimlinks.com

[obyg11770]

What are the subjects of the false-positive (domains, URLs, or IPs)?

https://go.skimresources.com/
go.skimresources.com

Why do you believe this is a false-positive?

I believe this is a false-positive because this is a legitimate advertising network that is used by thousands of websites to drive
$6m+ in sales daily across 48,500 merchants worldwide

How did you discover this false-positive(s)?

VirusTotal

Where did you find this false-positive if not listed above?

I discovered this false-positive by...

Have you requested a review from other sources?

I have requested a review from...
virus total but they sent me to you

Do you have a screenshot?

Screenshot

 

Additional Information or Context

this is the second time i have reached out to you with no response.

[spirillen]

@funilrys @mitchellkrogza I'm missing the power to edit OP msg. In this case I would like to add the ``` to the urls + fixing the image line

@obyg11770

I can see there are lots of spookier destination links in the list, and as my VM are not turned on, I'm not the one checking any of these out.

Leaving for other to test and judge

wget -qO- "https://phish.co.za/latest/ALL-phishing-links.lst" | grep -i '\.skimresources\.com'
http://hsn.app.link/3p?$3p=e_et&$original_url=https://go.skimresources.com/?id=129857X1600501&url=https://p.dtns.me/t/61f00be30628bf732c052b1c?r=https://secure.adnxs.com/seg?redir=http://amorlowzba36.haztedigital.cl/ct/new/css/?email=3mail@b.c
https://go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t
https://go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t&xguid=01FF0J812A714ZCD82XKBYR97N&persistence=1&checksum=ee353b273cd133198aec87cc3ba4f45c985039243cec1770acdac2d39b8a3a7a
https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fmeadow-tiny-month.glitch.me/56bh7c4e.html
https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fnewworldenclosures.com/wp-includes/js/Wellsv2
https://go.skimresources.com/?id=129857X1600601&url=https://bafkreig2ox6scs3dco5umljsr6seap2bj7jcwsw7zxavxxvrczordwajfu.ipfs.dweb.link
https://go.skimresources.com/?id=209867X1689872&&url=https://s.free.fr/4TFQugKa
https://hsn.app.link/3p?$3p=e_et&$original_url=https://go.skimresources.com/?id=129857X1600501&url=https://p.dtns.me/t/61f00be30628bf732c052b1c?r=https://secure.adnxs.com/seg?redir=http://amorlowzba36.haztedigital.cl/ct/new/css/?email=3mail@b.c
https://www.skimresources.com/?id=92X363&xcust=trdpro_us_1541938487208509200&xs=1&url=https://lovenestfamily.org/yiivkfxc/webmail-RD127/index.html

[g0d33p3rsec]

https://go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t

oddly, redirects to a safe browsing lookup
https://app.any.run/tasks/ded1b21a-f0d1-4a3b-9163-400d2faf4717

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fnewworldenclosures.com/wp-includes/js/Wellsv2

another safe browsing lookup
https://app.any.run/tasks/23425e7c-ffae-4881-8c7e-194483773695

https://go.skimresources.com/?id=209867X1689872&&url=https://s.free.fr/4TFQugKa

safe browsing lookup
https://app.any.run/tasks/b3da24c1-655b-43a8-a605-3c0822f1b084

https://hsn.app.link/3p?$3p=e_et&$original_url=https://go.skimresources.com/?id=129857X1600501&url=https://p.dtns.me/t/61f00be30628bf732c052b1c?r=https://secure.adnxs.com/seg?redir=http://amorlowzba36.haztedigital.cl/ct/new/css/?email=<REDACTED>

redirects to hsn.com
https://app.any.run/tasks/6e4e1244-67cf-4a12-887f-4055cb2fa790

the other URIs are returning 404s and 410s

[g0d33p3rsec]

I see multiple instances of your service redirecting to malicious content on the free host jimdosite.com, which then redirects to https://www.primechoicefinance.com.au/dykjj.php?.... The final target appears to have been removed as now it just returns a wordpress placeholder suggesting a site that had been previously compromised.

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fys-law-firm.jimdosite.com -> https://ys-law-firm.jimdosite.com/
https://urlscan.io/result/acd3f99a-e5f7-401a-a522-226c846e99c5/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fnanua-and-ioffe-lawyers.jimdosite.com -> https://nanua-and-ioffe-lawyers.jimdosite.com/
https://urlscan.io/result/703553f4-f084-4323-8c32-30dc71d8db45/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fark-fire-protection.jimdosite.com ->https://ark-fire-protection.jimdosite.com/
https://urlscan.io/result/2636ea2f-3c26-497b-8077-96f2310b3a82/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fkinver-business.jimdosite.com -> https://kinver-business.jimdosite.com/
https://urlscan.io/result/3c02ad65-ddd8-4f47-822c-281bb84e7c96/#summary

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fabaco-international-loss-adjusters.jimdosite.com -> https://abaco-international-loss-adjusters.jimdosite.com/
https://urlscan.io/result/b3072e8c-0b51-45df-935d-269494ac466b/

http://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fswiss-hospitality-and-partners.jimdosite.com -> https://swiss-hospitality-and-partners.jimdosite.com/
https://urlscan.io/result/d1cee180-6d66-4101-bc57-90ea09faa7ff/

https://go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fjbs-expedite-ltd.jimdosite.com -> https://jbs-expedite-ltd.jimdosite.com/
https://urlscan.io/result/619e43c0-c071-49ca-b7ec-b2d979fb9523/#summary

https://urlscan.io/result/f2ce8f71-5325-4098-9e88-20d7508b2b8a/

scan of https://www.primechoicefinance.com.au/dykjj.php?... from November 2, 2024
https://urlscan.io/result/2f4afe26-bd63-4598-9132-22fdb424ec7e/

[g0d33p3rsec]

I believe this is a false-positive because this is a legitimate advertising network that is used by thousands of websites to drive
$6m+ in sales daily across 48,500 merchants worldwide

true positives confirmed, the ad-tech pitch does nothing to mitigate the threats

[spirillen]

Moved this issue to the blocked projects list, as it seems stalled from OP.

[g0d33p3rsec]

@obyg11770 please see also the question @funilrys recently asked in your duplicate thread #944 (comment)

[g0d33p3rsec]

@obyg11770 I see that you replied to the other thread via email so tagging you again to this thread so that we can limit your issue to a single thread instead of scattering the information throughout the repo.

[spirillen]

I suggest we add these lines to a "onetime" whitelist, especially because the reporter @obyg11770 isn't related to the domain.

https: //go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t
https: //go.skimresources.com/?id=126006X1587360&xs=1&isjs=1&url=https://furnimart.in/BT329685/dGl0bGV1bml0MUBjdHQuY29t&xguid=01FF0J812A714ZCD82XKBYR97N&persistence=1&checksum=ee353b273cd133198aec87cc3ba4f45c985039243cec1770acdac2d39b8a3a7a
https: //go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fmeadow-tiny-month.glitch.me/56bh7c4e.html
https: //go.skimresources.com/?id=129857X1600501&url=https%3A%2F%2Fnewworldenclosures.com/wp-includes/js/Wellsv2
https: //go.skimresources.com/?id=129857X1600601&url=https://bafkreig2ox6scs3dco5umljsr6seap2bj7jcwsw7zxavxxvrczordwajfu.ipfs.dweb.link
https: //go.skimresources.com/?id=209867X1689872&&url=https://s.free.fr/4TFQugKa
https: //www.skimresources.com/?id=92X363&xcust=trdpro_us_1541938487208509200&xs=1&url=https://lovenestfamily.org/yiivkfxc/webmail-RD127/index.html

@Phishing-Database/contributors Should we make a list for removal of records, but not permanent whitelist?

[g0d33p3rsec]

@Phishing-Database/contributors Should we make a list for removal of records, but not permanent whitelist?

I think that could be useful and generally safer than a whitelist for domains that may change hands in the future. A risk with the whitelist approach is that it is susceptible to domain hijacking if the owner moves on and allows their control of the domain to expire.

[obyg11770]

Can you please update me on the status of this as your system continues to incorrectly mark this url as phishing and it is now costing me money in lost revenue to my site.

…

On Sat, Jan 4, 2025 at 12:53 PM Scott Petty ***@***.***> wrote: @Phishing-Database/contributors <https://github.com/orgs/Phishing-Database/teams/contributors> Should we make a list for removal of records, but not permanent whitelist? I think that could be useful and generally safer than a whitelist for domains that may change hands in the future. A risk with the whitelist approach is that it is susceptible to domain hijacking if the owner moves on and allows their control of the domain to expire. — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4QKSFXGVHU22LQFJKT2JBC4HAVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNZRGQYDQOBSHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[spirillen]

Please see #988 (comment) by admin

[obyg11770]

I do not understand these comments as I am not a developer.

…

On Mon, Jan 13, 2025 at 10:50 AM spirillen ***@***.***> wrote: Please see #988 (comment) <#988 (comment)> by admin — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4QBVXKRKCMV3FKV5TL2KQDIPAVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOBXHEZTQOJVGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[spirillen]

I do not understand these comments as I am not a developer.

AFAIK, we are whitelisting URL shortener already. @megaworldai if you can be listed in @PeterDaveHello's list https://github.com/PeterDaveHello/url-shorteners/ , it will be removed automatically from our project.

Are go.skimlinks.com not used for redirecting traffic and collecting PII data?

[obyg11770]

I am concerned about go.skimlinks.com not @megaworldai. this is the original tickte #944 skimlinks does not collect PII. PLease read the ticket linked above. go.skimlinks is an advertising network redirect link that is used for tracking sales conversions and managing payouts to publishers across. the world.

…

On Tue, Jan 14, 2025 at 3:46 AM spirillen ***@***.***> wrote: I do not understand these comments as I am not a developer. AFAIK, we are whitelisting URL shortener already. @megaworldai <https://github.com/megaworldai> if you can be listed in @PeterDaveHello <https://github.com/PeterDaveHello>'s list https://github.com/PeterDaveHello/url-shorteners/ , it will be removed automatically from our project. Are go.skimlinks.com not used for redirecting traffic and collecting PII data? — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4SZ4N5FUV7AR3CQJ3D2KT2KJAVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOBZG4YDGOJYHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[g0d33p3rsec]

I am concerned about go.skimlinks.com not @megaworldai. this is the original tickte #944 skimlinks does not collect PII. PLease read the ticket linked above. go.skimlinks is an advertising network redirect link that is used for tracking sales conversions and managing payouts to publishers across. the world.

since you also seem to struggle with basic reading comprehension, the relevant part of the referenced comment is:

if you can be listed in @PeterDaveHello's list https://github.com/PeterDaveHello/url-shorteners/ , it will be removed automatically from our project.

TL;DR, you need to address the root cause and have the site delisted from the upstream source feeding into our database

[obyg11770]

Scott: I'm not sure why you are being such an asshole? I've been nothing but polite and patient. I'm not a developer. I don't work on github. I have no idea how to get the list updated. Your system is screwing me over and all you can do is respond with some cynical bs? Can you help me solve the problem instead? There is no way to contact @PeterDaveHello that I can find. How do I go about getting this domain delisted? What exact steps do I need to take? I'll do them. Thanks. On Jan 14, 2025, at 10:11 AM, Scott Petty ***@***.***> wrote:  I am concerned about go.skimlinks.com not @megaworldai <https://github.com/megaworldai>. this is the original tickte #944 <#944> skimlinks does not collect PII. PLease read the ticket linked above. go.skimlinks is an advertising network redirect link that is used for tracking sales conversions and managing payouts to publishers across. the world. since you also seem to struggle with basic reading comprehension, the relevant part of the referenced comment is: if you can be listed in @PeterDaveHello <https://github.com/PeterDaveHello>'s list https://github.com/PeterDaveHello/url-shorteners/ , it will be removed automatically from our project. TL;DR, you need to address the root cause and have the site delisted from the upstream source feeding into our database — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4WF74MJUSPTSKQTR7D2KVHMZAVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJQG43DEMZSHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[spirillen]

@obyg11770

I understand your frustration. To resolve this, please open an issue in the @PeterDaveHello url_shortner repository and request to have your domain added to the project. Thank you for your patience. https://github.com/PeterDaveHello/url-shorteners/issues/new?template=Blank+issue&title=go.skimresources.com

[obyg11770]

I had a dev friend of mine do this two weeks ago and there is still no change. [image: image.png]

…

On Mon, Jan 27, 2025 at 7:29 PM spirillen ***@***.***> wrote: @obyg11770 <https://github.com/obyg11770> I understand your frustration. To resolve this, please open an issue in the @PeterDaveHello <https://github.com/PeterDaveHello> url_shortner repository and request to have your domain added to the project. Thank you for your patience. https://github.com/PeterDaveHello/url-shorteners/issues/new?template=Blank+issue&title=go.skimresources.com — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4WCZBCJNKPIFON2W2L2M32S5AVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJXG43DSMZYGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[spirillen]

@PeterDaveHello ?? can you review this one, to see if you can solve it?

[obyg11770]

Hello: I am still having this issue. Please someone help me resolve it. It has been over a month now :(

…

On Thu, Jan 30, 2025 at 7:07 PM spirillen ***@***.***> wrote: @PeterDaveHello <https://github.com/PeterDaveHello> ?? can you review this one, to see if you can solve it? — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4WEU6URAUUWMBK4FLT2NLSG3AVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRWGIYDIMJWGY> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[spirillen]

English

Have you opened an issue in the @PeterDaveHello Project as we asked you to?

Spanish

¿Has abierto un problema en el proyecto @PeterDaveHello como te pedimos?

French

Avez-vous ouvert un problème dans le projet @PeterDaveHello comme nous vous l'avons demandé?

German

Hast du ein Problem im @PeterDaveHello-Projekt eröffnet, wie wir dich gebeten haben?

Italian

Hai aperto un problema nel progetto @PeterDaveHello come ti abbiamo chiesto?

Chinese (Simplified)

你是否按照我们的要求在@PeterDaveHello项目中打开了一个问题？

Danish

Har du åbnet et issue i @PeterDaveHello projekt, som vi bad dig om?

[PeterDaveHello]

If you need anything, please open issues or submit pull requests at the right place: https://github.com/PeterDaveHello/url-shorteners. I'm currently overwhelmed by the mentioning notifications, and they are not helpful.

[obyg11770]

An issue was opened on Jan 15th but still has not been resolved [image: image.png]

…

On Wed, Feb 12, 2025 at 7:11 AM Peter Dave Hello ***@***.***> wrote: If you need anything, please open issues or submit pull requests at the right place: https://github.com/PeterDaveHello/url-shorteners. I'm currently overwhelmed by the mentioning notifications, and they are not helpful. — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4RUGN3XSDLC45LD43L2PNQANAVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJUGAYDKNBZGE> . You are receiving this because you were mentioned.Message ID: ***@***.***> [image: PeterDaveHello]*PeterDaveHello* left a comment (Phishing-Database/Phishing.Database#969) <#969 (comment)> If you need anything, please open issues or submit pull requests at the right place: https://github.com/PeterDaveHello/url-shorteners. I'm currently overwhelmed by the mentioning notifications, and they are not helpful. — Reply to this email directly, view it on GitHub <#969 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AOIVX4RUGN3XSDLC45LD43L2PNQANAVCNFSM6AAAAABUFFLR5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJUGAYDKNBZGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[spirillen]

@PeterDaveHello are you maintaining the url shortner lists actively??

PeterDaveHello/url-shorteners#124

[phishing-database-bot]

Closing.

Domain(s) or IP(s) not found in the Phishing.Database project: go.skimresources.com, go.skimlinks.com.

-- We appreciate your help in refining this. Please let us know if anything seems incorrect.