Page 1 of 2

Ixquick

Posted: Sat Sep 13, 2008 1:51 am
by Security_Wiz
Hi,

I have started using the search engine Ixquick. However, I notice that this website uses many domains (us.ixquick.com, us2.ixquick.com, etc.). I keep stumbling upon real Ixquick domains that seem fine to me that seem to be rated dangerous for some reason.

This is one: s2-us2.ixquick.com/

I see no problem with this. It's user confidence rating is low, but I'd still like to know why it is rated so badly.

Re: Ixquick

Posted: Sat Sep 13, 2008 8:44 am
by Sami
It was only recently removed from PhishTank.

SE in PT?

Posted: Sat Sep 13, 2008 9:19 am
by phantazm
Why would a search engine end up in the PhishTank?

Most likely someone thought

Posted: Sat Sep 13, 2008 9:28 am
by AnonymousSpecial
Most likely someone thought the URL looked like it was trying to spoof a bank or something.

Re: SE in PT?

Posted: Sat Sep 13, 2008 9:28 am
by Sami
Not sure, but there it was, verified by six users.

Or maybe this...

Posted: Sat Sep 13, 2008 10:51 am
by phantazm
Maybe it could be a case of search engine abuse.
I found this short text that describes a google-example:

"Google abuse - Who feels lucky here?

Today I got this spam mail, that at first looked too simple.
But when I looked twice, I noticed it was actually opposite:

"Check it out - I just found the best casino website! It has great games, tournaments, daily promotions and high bonuses. If you go there now you'll get a free beginners bonus of $555 - so you can start playing right away! Have fun!"

Casino spam is not news at all, but the deceptive link was.
Instead of linking directly to casino-games-pro.com it used this:

google.com/search?q=inurl%3Agames-pro+intext%3Awon1+million
+megabet+from+casino+online&btnI=Lucky target="_blank"

(This query searches for sites with "games-pro" in the url
+ "won1 million megabet from casino online" somewhere in the text.)

This combination of words is found on only one website.
And then Googles 'Feel lucky button' is abused to go directly to the site...

Result: the scam-site avoids naming itself in the spam mail,
thus making it harder for spam-filters to scan for names of known scam-sites.."

Or maybe that...

Posted: Sat Sep 13, 2008 10:58 am
by phantazm
phantazm: Why would a search engine end up in the PhishTank?

Sami: Not sure, but there it was, verified by six users.

phantazm: I looked at the phishtank entry (http://www.phishtank.com/phish_detail.php?phish_id=477086) and saw this url:

hxxp://s1-us2.ixquick.com/do/show_picture.pl?c=bottom_frame&u=http://cgi.ebay.com.my/ws/eBayISAPI.dll?ViewItem&item=350022273334&indexURLMessage-Id:

The first part is the searchengine, but...
The second part contains "cgi.ebay.com.my",
and that does look phishy to me...

Re: Or maybe that...

Posted: Sat Sep 13, 2008 11:05 am
by Sami
The second part contains "cgi.ebay.com.my", and that does look phishy to me...

That's eBay Malaysia, it's not a phishing site either.

Ooops!

Posted: Sat Sep 13, 2008 11:10 am
by phantazm
Okay, I didn't know that (mea culpa). Thanks for the correction!
But then again, I'm neither malysian nor an eBay-customer...

Ixquick

Posted: Sat Sep 13, 2008 2:04 pm
by Security_Wiz
So, basically, it was flagged by PhishTank as phising because it had a phising link in their search results. That just doesn't seem very likely. Google has thousands of phising links and malware links, but they are not rated badly by sources because of it.

Thanks though! As long as I know that Ixquick has no malware, I'm going to continue using it.

I like that the WOT community is very active.