I was checking my Google Analytics stats and noticed a strange entry in the Languages section of the demographics. Ranking fifth, after en-us, en-gb, en-ca, and en-au was the following:<\/p>\n
Secret.\u0262oogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!<\/p><\/blockquote>\n
Do not visit that URL, by the way. You can see that the first “G” in “Google” is an unusual character — it’s the symbol for a voiced uvular stop<\/a>. <\/p>\n
I usually use urlQuery<\/a> to check out potentially malicious sites, but it didn’t like this URL. I used vURL Online<\/a> instead, which reported it was malicious:<\/p>\n
This domain is listed in the Malware Domain List. Website’s [sic] in this database should be viewed with extreme caution.<\/p><\/blockquote>\n
These 1500 or so sessions on my site are presumably from some hijacked browser or malicious plug-in\/extension, and the end-user has no idea they are sending this bizarre language string in the HTTP headers.<\/p>\n
Why put a malicious URL there at all? Did the creator hope that those of us perusing our web stats would be intrigued enough to fall for this trap? Even as I ask that question, I know that some percentage of users must have done just that. I assume they are now broadcasting their language as the same unusual string.<\/p>\n
As a site owner, is there anything I should do? I could detect this string and notify the user. E.g. use an Apache re-write rule to redirect the user to a page telling them their browser is infected? This is only a partially rhetorical question. If you have suggestions, let me know.<\/p>\n","protected":false},"excerpt":{"rendered":"
Some visitors to my web site are transmitting an unusual Accept-Language string that includes a malicious URL. Who is being targeted by this attack and what should a site owner do about it (if anything)?<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[412,356],"class_list":["post-1652","post","type-post","status-publish","format-standard","hentry","category-security","tag-phishing","tag-security"],"_links":{"self":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/comments?post=1652"}],"version-history":[{"count":7,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1652\/revisions"}],"predecessor-version":[{"id":1660,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/posts\/1652\/revisions\/1660"}],"wp:attachment":[{"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/media?parent=1652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/categories?post=1652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osric.com\/chris\/accidental-developer\/wp-json\/wp\/v2\/tags?post=1652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}