February 1, 2016 3:06 PM   Subscribe

How does this sketchy "hhttps" link work?

I came across this link, which appears to link to a redirect page that serves one of a variety of sketchy links ("Your computer needs an antivirus" etc.) I'm trying to understand how it works, and I'm not getting anywhere with google (which just shows me more examples of it.)


Note the beginning, which just looks like a typo or a mis-pasted link. Chrome reports it can't find the server "hhttps" which is what I would expect. However it works on Safari and Firefox so they must be parsing it differently, but I'm not sure how or where exactly it's pointing to.
posted by ChurchHatesTucker to Computers & Internet (10 answers total) 2 users marked this as a favorite
Best answer: I'm not able to get Firefox (Centos7) to load it, but a theory:

There is a https.com which redirects to rewardsurveybrands.com which gives "you have been selected" popups (and other things when I open it in Lynx, there's clearly much heinous JavaScript and sketchy redirection involved). Perhaps Safari (or your platform) is noting the bare host name and adding a .com?
posted by straw at 3:26 PM on February 1, 2016

When you say "it works on Safari and Firefox" what do you mean? What does the browser display?
posted by humboldt32 at 3:40 PM on February 1, 2016

Ah, Safari does in fact do something. I force killed ASAP.

Careful folks testing that link.
posted by humboldt32 at 3:41 PM on February 1, 2016

Best answer: Yes, Firefox is auto-expanding the hostname from “hhttps” to “www.hhttps.com” which then redirects to another site. The expansion is part of its “fixup” algorithm for broken URLs. You can see what’s happening using Firefox’s built-in Network Monitor.
posted by mbrubeck at 4:00 PM on February 1, 2016 [7 favorites]

Response by poster: I probably should have added more info:
  • OS X 10.10.5 (Yosemite)
  • Safari 9.0.3
  • Firefox 42.0 (see below)
  • Chrome Version 49.0.2623.28 beta (64-bit)
I noticed I was behind on FF, so updated to 44.0. Oddly, the link appears to "work" about half the time now. I almost never seen the expansion to "www.hhttps.com" (once in about ten tries) but there is clearly stuff disappearing from the Network Monitor for some reason. Roughly half the time Firefox now gives me "Firefox can't find the server at hhttps." but the rest of the time it "works." (I only tested a couple times on 42.0 before upgrading, so I may have just been unlucky there.)
posted by ChurchHatesTucker at 5:13 PM on February 1, 2016

It's possible, for instance, that an infected computer could be running a local proxy, identified by the non-canonical (i.e. would only work locally, and/or if the hosts file had been compromised) name 'hhttps'. If that were the case, that link would work, and the proxy would return whatever nastiness into your browser that it wanted to. Why the (possible, local) proxy? I dunno, maybe some effort at obfuscation from antivirus software or modern browsers' built-in phishing/malware protection. If not a local proxy, then just because it'd be more apt to fool you than a sketchy IP.
posted by destructive cactus at 5:43 PM on February 1, 2016

Yeah, it's redirecting you to hhttps dot com which whois says seems to be registered by a company in China, but it has somebody in the Czech Republic listed as admin, but it also says "this company does not own this domain name "

I'm not willing to open that website myself on this computer.
posted by Diag at 4:23 AM on February 2, 2016 [1 favorite]

Yep, they're trying to fool people who don't read URLs carefully (or at all!), and want you to go to their undoubtedly-nefarious site.

It's a b0rked link, in this case intentionally, and you should avoid it.
posted by wenestvedt at 6:52 AM on February 2, 2016

FWIW , This is where I found the link:

On the link that I posted copied from above, the extra hhttps added to the link does not seem to be there?
Unless I am just not seeing it?

Also, I copied the link:

Directly from my original post.

I have no idea how the extra hhttps was added to the link. I don't think it is because I posted it that way, unless I inadvertently added it when copying?

Really weird to say the least.
posted by yertledaturtle at 1:23 PM on February 2, 2016

Response by poster: yertle, I flagged your comment so I assume the mods fixed it.

It does appear to be a related site to "https.com", there are even some of the same pages served up. Is there someplace that tracks these kinds of things?
posted by ChurchHatesTucker at 5:06 PM on February 2, 2016

« Older What kind of contractor do I need to prevent this...   |   How should I haved handled Profane Ridden... Newer »
This thread is closed to new comments.