debridleech.com: badware

[PhTL19]

Prerequisites

• This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
• I read and understand the policy about what is a valid filter issue.
• I verified that this issue is not a duplicate. (Use this button to find out.). Comment in the old issue threads even when they are closed or even if you have a different problem.
• I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
• I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
• I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
• I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
• I have turned off all other extensions and the issue still persists. (exception "Firefox Multi-Account Containers").
• If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site or browser issue.
• I did not answer truthfully to ALL the above checkboxes.

URL address of the web page

https://www.debridleech.com/

Category

badware

Description

Fake leeching file, scam personal info by using fake human verification

Other extensions used

None

Screenshot(s)

Screenshot(s)

Configuration

uBlock Origin: 1.62.0
Chromium: 132
filterset (summary):
 network: 141502
 cosmetic: 41422
 scriptlet: 23221
 html: 0
listset (total-discarded, last-updated):
 default:
  user-filters: 1-0, never
  ublock-filters: 39945-204, 1h.57m Δ
  ublock-badware: 12282-6, 1h.57m Δ
  ublock-privacy: 2004-33, 1h.57m Δ
  ublock-unbreak: 2556-0, 1h.57m Δ
  ublock-quick-fixes: 189-0, 1h.57m Δ
  easylist: 71574-527, 1h.57m Δ
  easyprivacy: 53326-640, 1h.57m Δ
  urlhaus-1: 22280-0, now
  plowe-0: 3538-0, now
filterset (user): [array of 1 redacted]
trustedset:
 added: [array of 5 redacted]
userSettings: [none]
hiddenSettings: [none]
supportStats:
 allReadyAfter: 674 ms (selfie)
 maxAssetCacheWait: 359 ms
 cacheBackend: indexedDB
popupPanel:
 blocked: 2
 network:
  debridleech.com: 1
  cloudflareinsights.com: 1

[JobcenterTycoon]

@Yuki2718 same pattern on https://freesoftwarecreative.com/pages/?f4107d2 also a filter for adguard is needed.

! loader script
https://d15skjf5hy9xr6.cloudfront.net/bddec94.js
https://dojy0dg181308.cloudfront.net/f999531.js

! frame loader script
https://d23rx8p5l6yry7.cloudfront.net/public/external/v2/htmlxf.3253287.1da9e.0.js
https://d1myn4ixnn41tz.cloudfront.net/public/external/v2/htmlxf.4151823.2951e.0.js

! ad iframes
https://d23rx8p5l6yry7.cloudfront.net/public/ct?cpguid=&pr=0&it=3253287&w=2560&h=1400&key=1da9e&m=0&r=%1D%01%01%05%06OZZ%02%02%02%5B%11%10%17%07%1C%11%19%10%10%16%1D%5B%16%1A%18Z
https://d390icj1ta4x0p.cloudfront.net/public/ct?cpguid=&pr=0&it=4151823&w=1920&h=1080&key=2951e&m=0&r=

As far i see its only a-f so maybe /cloudfront\.net\/[a-f0-9]{7}\.js$/$script,3p,match-case?

[Yuki2718]

As far i see its only a-f so maybe /cloudfront\.net\/[a-f0-9]{7}\.js$/$script,3p,match-case?

I'm unsure about its safety. /cloudfront\.net\/(?=[a-z]{0,6}\d)[a-f0-9]{7}\.js$/$script,3p,match-case will be a bit safer, but something like script1.js can still match.

[JobcenterTycoon]

No it doesn’t because the regex only match a-f not a-z so script1 can’t match. Its also possible to block the frame loader script, it will also fully prevent the ads.

[Yuki2718]

Ah, missed that.

[Yuki2718]

||cloudfront.net/public/external/v2/htmlxf. is fine for EL.

[JobcenterTycoon]

I see you block also the domains. I have more:

||d12zgccgt6pwjz.cloudfront.net^
||duh0b8nl8uhfn.cloudfront.net^
||d1ftkft7iiluq6.cloudfront.net^
||d3ept9mddcbuhi.cloudfront.net^
||d1ieffz9zqrn09.cloudfront.net^
||du002iv2rxh4h.cloudfront.net^
||d1i1d9hx0883rq.cloudfront.net^
||d3srxd2wvksmqd.cloudfront.net^
||d13uyjvmsvkesh.cloudfront.net^
||d3gi4w10ruedfh.cloudfront.net^
||d3lwdybbvxc4v9.cloudfront.net^
||d1mikxzr3lp4va.cloudfront.net^
||d9cshxmf0qazr.cloudfront.net^
||d1rczqt4tdkw1g.cloudfront.net^
||d19diizb3qce6y.cloudfront.net^
||d3nj94pigtgs7y.cloudfront.net^
||d24lwiav9pbaw7.cloudfront.net^

[Yuki2718]

Some of them were added by easylist/easylist@aa968d4

[JobcenterTycoon]

@Yuki2718 they randomize now the old cloudfront.net/public/external/v2/htmlxf pattern (or added a new one). New pattern are:

! loader script
https://d185vdnhi9xfbl.cloudfront.net/cc671ff.js

! frame loader script
https://d1x7c4wlneyax0.cloudfront.net/hcWrXe8I6ZwipW.4151823.2951e.0.js

! ad iframes
https://d1x7c4wlneyax0.cloudfront.net/public/ct?cpguid=&it=4151823&w=2560&h=1400&key=2951e&m=0&r=

! ad clicks
https://app.fast2cloud.com/click?pid=2&offer_id=558&sub2=u221596&sub3=cl249075&sub4=ct215993&sub7=rfnull&sub8=rdnull&sub15=da5dd8a010f2
https://set.safesendclub.com/click?pid=434&offer_id=18432&sub2=434_u221596&sub6=67b33e5687104d0001b36f29

See on https://freesoftwarecreative.com/pages/?f4107d2

The first is still stable so the regex /cloudfront\.net\/(?=[a-z]{0,6}\d)[a-f0-9]{7}\.js$/$script,3p,match-case still works (not added). The iFrame now missing pr=0 but it still could be filtered with a EL filter ||cloudfront.net/public/ct?cpguid=&$frame,3p when its not common.

Captured unblocked domains:

d185vdnhi9xfbl.cloudfront.net
d1pxzgs3x2bh98.cloudfront.net
d1iz0b4hmb7usn.cloudfront.net
d1x7c4wlneyax0.cloudfront.net
d3hnq31zdoi8ks.cloudfront.net
d1q9g9zqq1ieco.cloudfront.net
d149mkdvjofx4v.cloudfront.net
dknnlu3s1bnz7.cloudfront.net

[Yuki2718]

Looks already in EL.

[JobcenterTycoon]

Sorry i copied the wrong domains.

||d1gof7ug63b1q4.cloudfront.net^
||d23h3o5tkgytgm.cloudfront.net^
||dvwowtnmyluv4.cloudfront.net^

[JobcenterTycoon]

Looks fine so far, most of them are blocked now. I found only one more: ||d29gqhzevia104.cloudfront.net^