Event shelljacket us что это
Перейти к содержимому

Event shelljacket us что это

  • автор:

Chrome Process shelljacket

chrome process

noticed today this process running on google chrome task manager referencing http://shelljacket.us If I closed it will restart automatically in a few seconds. Can anyone confirm if this is safe? How can I get rid of it?

asked Feb 16, 2018 at 16:48
3 3 3 bronze badges

1 Answer 1

Your Task Manager is showing » Subestrutura: http://shelljacket.us . This is Portuguese for » Subframe: http://shelljacket.us «, and means that Site isolation is enabled in your Chrome browser. Google’s help page on this feature suggests that you can toggle Site isolation via chrome://flags/#enable-site-per-process

Even when you did not enable site isolation, then site isolation will still be used for websites loaded inside a Chrome extension. In your process list, I see that the item immediately above your unwanted process is an extension. To get rid of the frame, you can try to disable the extension.

Seeing an unknown site in a separate process in itself is not something to worry about. But this site in question seems to only contain a tracker from QuantCast, which I consider suspicious from the privacy perspective.

I looked up the extension in the Chrome Web Store («Hotspot Shield Elite VPN Proxy») and used my Extension Source Viewer to read the source code of the extension. I found a code snippet in the extension’s background script that confirms that the extension is embedding an frame with a QuantCast URL.

If you are using that VPN extension for privacy purposes, I would recommend you to immediately uninstall it, because this is clearly a sign that your privacy is violated.

Три крупных VPN-сервиса раскрывают конфиденциальные данные пользователей

Три крупных VPN-сервиса раскрывают конфиденциальные данные пользователей

Согласно исследованию, проведенному VPNMentor с помощью нанятой группы специалистов, далеко не все VPN-сервисы способны предоставить пользователям защиту их данных. Большинство протестированных сервисов не до конца скрывают IP-адрес клиентов.

Эксперты подчеркивают, что такие недостатки в VPN-сервисах могут использоваться правительством и организациями для отслеживания конкретных лиц, представляющих интерес.

«Мы протестировали 3 популярных VPN-сервиса: Hotspot Shield, PureVPN и Zenmate. К сожалению, мы обнаружили, что все они способствуют утечке конфиденциальных данных», — пишут в блоге исследователи VPNMentor.

Hotspot Shield оказался единственным сервисом, быстро принявшим меры после официального уведомления VPNMentor о наличие бреши в безопасности. Остальные VPN-сервисы на данный момент не ответили VPNMentor, поэтому проект принял решение опубликовать результаты тестов.

Уязвимости в Hotspot Shield затрагивают соответствующее расширение Chrome, десктопная и мобильная версии приложения безопасны.

Первая уязвимость, получившая идентификатор CVE-2018-7879, позволяет злоумышленнику перехватить трафик пользователя, для этого потребуется заманить его на вредоносный сайт.

Эксперты отметили наличие следующего PAC-скрипта, используемого в расширении Hotspot Shield для Chome:

```
function FindProxyForURL(url, host) if(url.indexOf('act=afProxyServerPing') != -1) if(parsed && parsed[1]) return 'https '+parsed[1]+':443; DIRECT;';>
```

Он определяет, имеет ли текущий URL параметр act=afProxyServerPing, если он находит этот параметр, весь трафик перенаправляется на прокси-сервер.

Эта проблема, похоже, связана с внутренним тестовым кодом, который не был удален, поскольку скрипт не может проверить, какой хост делает этот «вызов». Злоумышленник может создать ссылку с этими параметрами, что позволит перенаправить пользователя на контролируемый киберпреступниками сервер.

Утечка IP существует благодаря белому списку, который используется расширением для «прямого соединения».

let whiteList = /localhost|accounts\.google|google\-analytics\.com|chrome\-signin|freegeoip\.net|event\.shelljacket|chrome\.google|box\.anchorfree|googleapis|127\.0\.0\.1|hsselite|firebaseio|amazonaws\.com|shelljacket\.us|coloredsand\.us|ratehike\.us|pixel\.quantserve\.com|googleusercontent\.com|easylist\-downloads\.adblockplus\.org|hotspotshield|get\.betternet\.co|betternet\.co|support\.hotspotshield\.com|geo\.mydati\.com|control\.kochava\.com/;if(isPlainHostName(host) || shExpMatch(host, '*.local') || isInNet(ip, '10.0.0.0', '255.0.0.0') || isInNet(ip, '172.16.0.0', '255.240.0.0') || isInNet(ip, '192.168.0.0', '255.255.0.0') || isInNet(ip, '173.37.0.0', '255.255.0.0') || isInNet(ip, '127.0.0.0', '255.255.255.0') || !url.match(/^https?/) || whiteList.test(host) || url.indexOf('type=a1fproxyspeedtest') != -1) return 'DIRECT';

Тесты показали, что любой домен, который содержит localhost в URL-адресе, обходит прокси-сервер (например, localhost.foo.bar.com). Так же происходит и с type=a1fproxyspeedtest.

Чтобы продемонстрировать наличие утечки, специалисты зашли на сайт с неподдерживаемой версией Hotspot Shield.

Эксперты подтвердили, что в настоящее время уязвимости PureVPN и ZenMate могут использоваться для деанонимизации пользователей этих сервисов.

Подписывайтесь на канал «Anti-Malware» в Яндекс Дзен, чтобы первыми узнавать о новостях и наших эксклюзивных материалах по информационной безопасности.

event.shelljacket.us

Google identifies web sites that are not secure. Inform us about the threats that detect and display warnings to help disclose the State of security on the Web.

SSL certificate

High impact

This web site contains the SSL certificate and your details are encrypted so that they can not be stolen

If a web site contains a SSL certificate, when you send your data using forms or devices that have the web site, your data will always encrypted and cannot be stolen.

A web site does not contain or contain SSL-certificate, does not mean that this web site is unsafe, but the low security level.

Registration of the web site

Low impact

The website features a 2023 years old

The age is an indication seriously to consider on a web site, the oldest is a website most likely has to be safe

New web sites are not insecure as new but there that caution since data that compare are not known for their safety

Title

405 Not Allowed

The only title is a data information and does not affect the score of security of this web site.

Web Of Trust

1.3888888888889

No Information

High impact

Security and reliability child records not found

It may be a new site and for this reason we do not have safety data yet.

Moz Rank

1.3888888888889

Ranking

Medium impact

The Ranking of MOZ, it indicates the quality of a web site, this value is important because high refers us to which this web site is useful, as well as having a high impact on search engines, something that is usually good and provide us with security

1.3888888888889

Authority of the domain

Medium impact

This signal indicates that both courage and confidence has registered this domain for the busscadores. Normally the search engines rank first domains with greater authority

1.3888888888889

Authority of the page

Medium impact

This signal indicates that both courage and confidence has this page specifically for the busscadores, the greater the greater result confidence we give the web site.

1.3888888888889

Inbound links of trust

Medium impact

Inbound links to this web site that provide value, generally rely on said site.

1.3888888888889

Inbound links

Medium impact

Quantity of inbound links that Moz Rank detected to this web site.

Alexa

Total sites linking

Medium impact

Sign indicating the number of links that Alexa to detected to this web site.

1.3888888888889

Ranking

Low impact

Global ranking 0

The Alexa ranking indicates the popularity of the site, obviously the more popular is a site higher ranking security we give for any activity on these web sites.

Social Media

Facebook

Low impact

  • Likes 0
  • Sahre 0
  • Comments 0
  • Actions 0
  • Total shares in facebook 0

Facebook is a social networking website created by Mark Zuckerberg and Eduardo Saverin founded with Chris Hughes and Dustin Moskovitz. Originally a site for students at Harvard University. Its purpose was to design a space where students at the university to exchange good communication and share content easily through the Internet. His project was so innovative that eventually spread to be available to any network user.

Linkedin

Low impact

  • Shares 0

LinkedIn is a business-oriented web site. It was founded in December 2002 and launched in May of 20031 (comparable to a social network service), mainly for professional network. It was founded by Reid Hoffman, Allen Blue, Konstantin Guericke, Eric Ly, Jean-Luc Vaillant.

Google+

Low impact

  • Shares 0

Google+ (pronounced and written, Google Plus, abbreviated as G + and in some Spanish-speaking countries pronounced Google Plus) is a social network operated by Google Inc. Google+ was launched in June 2011. Users must be at least 13 years age, to create their own accounts. Google+ is already the second most popular social network in the world, linked with YouTube, earning about 343 million active users.
Google+ integrates different services: Circles, Hangouts, Google+ communities.3 Interests and will also be available as a desktop application and a mobile application, but only in the Android and iOS operating systems. Sources such as The New York Times has declared more Google attempt to compete with the social network Facebook, which had more than 750 million users in 2011

Pinterest

Low impact

  • Shares 0

Pinterest is a platform for sharing images that allows users to create and manage personal boards thematic collections of images such as events, interests, hobbies and more. Users can browse other pinboards, ‘re-pin’ images for their collections or give them ‘I’. Pinterest’s mission is to «connect everyone in the world through things they find interesting.» Founded by Ben Silbermann, Paul Sciarra and Evan Sharp, the site is managed by Cold Brew Labs and funded by a small group of entrepreneurs and investors.

Xing

Low impact

  • Shares 0

XING (was created in 2003 through November 17, 2006 OpenBC called) is a social network of professional field. Also it called online networking platform, since its main use is to manage contacts and establish new connections between professionals in any sector. This system belongs to what is called social software. One of the main functions it is the option to display the contact network; for example, a user can see through many connected to other intermediaries. It is based on the principle of six degrees of separation or phenomenon of «small world». Offers numerous options for contact, search for people by name, city, sector, company, areas of interest, etc., and includes thematic groups and forums to raise questions and exchange information or opinions on specific issues. It also has job offers, business pages and a section to view and post events. Xing decision makers and experts found in many fields.

VKontakte

Low impact

  • Shares 0

VK (Vkontakte originally), is a social network created by Pavel Durov, internationally known as VK. Pavel, who studied philology at the Saint Petersburg State University, created the website of the university and a forum on it with the help of his brother Nikolai. Originally a site for Russian students, but now anyone can register. It is the most popular site in Russia, Ukraine and Belarus. Because of its design and functionality, it is often said that VK is a clone of Facebook, not only for being a similar concept, but as a business model comparable. However, the addition of other features makes it an all in one, similar to other sites like YouTube, Pandora, with an interface that is very reminiscent to Facebook, but in an easier and intuitive. The site is available in 38 languages.

StumbleUpon

Low impact

  • Shares 0

StumbleUpon is a commercial website that integrates a social network that allows users to swap pages of interest mainly online using a toolbar available as an extension for Firefox, Mozilla Application Suite, Internet Explorer and Google Chrome. The system automates the collection, distribution and review of intuitively Web content, providing the user to browse the network and locate pages of interest with a single click, after completion of an initial registration where the user identifies their areas of interest and other preferences. StumbleUpon also lets you edit your interest to discover more pages that interest you.

Social activity summary

Low impact

  • Total social activity 0

Not always must rely on if a site has lots of activity on social networks, we must always see well that type of activity carried out and how they do it, but it is usually a symptom of reliability.

Great visibility on social networks is a good indicator to see if insurance this site, have much more activity on social networks is best assessment will have for TrustScam.

Don’t drink Hotspot Shield’s Kool-Aid

Free VPN services have a bad reputation, and in most cases it’s undeserved. That being said, there are always bad apples that ruin it for the rest. In this case the bad apple is Anchor Free, and their product Hotspot Shield.

When you install the Hotspot Shield browser extension, it gives you access to their free servers, with no bandwidth limit. Sounds great, now you have “Security and Privacy”, for free, with no limitations. What you probably don’t know is that it’s bullshit.

You may ask yourself, “why would that be built right into the extension that claims free and unlimited bandwidth?” Ahh, right.

You may think, “Well, I’m using a proxy, so they don’t see my IP, so all this data is useless”. Here is where it gets even better.

Browser extensions that proxy traffic usually implement a secure proxy via what’s known as a Pac file. You can extract the Pac file by going to a special URL in your Chrome browser while connected to a location.

The Pac file is base64 encoded, you can decode it via this online tool. Here is what the Hotspot Shield Pac file looks like, the bolded part is of extra interest:

let active = false,
created = 1538074968239,
started = Date.now();

if((started-100) < created) active = true;
>

function FindProxyForURL(url, host) if(!active && (Date.now() > (started + 2000))) active = true;
if(!active) return ‘DIRECT’;

if(shExpMatch(host, ‘pixel.quantserve.com’) || shExpMatch(host, ‘event.shelljacket.us’) || shExpMatch(host, ‘api.hsselite.com’) || shExpMatch(host, ‘order.hotspotshield.com’) || shExpMatch(host, ‘www.google-analytics.com’) || shExpMatch(host, ‘localhost’) || shExpMatch(host, ‘127.0.0.1’)) return ‘DIRECT’;

return ‘https mi-ex-de-fra-9.northghost.com:443;https mi-ex-de-fra-13.northghost.com:443;https mi-ex-de-fra-8.northghost.com:443;https mi-ex-de-fra-1.northghost.com:443;https mi-ex-de-fra-11.northghost.com:443;’;

return ‘DIRECT’;
>

Any request made to the following domains bypasses the proxy and is sent through your ISP assigned IP address:

  • pixel.quantserve.com
  • event.shelljacket.us
  • www.google-analytics.com
  • api.hsselite.com
  • order.hotspotshield.com
  • localhost
  • 127.0.0.1

The last 4 are harmless, but the first 3 are there only for a single purpose: collect user data and send it to the biggest privacy violators that exist, and to make sure the data is valuable, it’s sent from your IP address.

Additionally, since Google Analytics is “white listed” (bypasses the proxy), every single site that has Google Analytics, majority of sites do, will be able to track your IP address, regardless of you using the extension. This makes the use of Hotspot Shield extension entirely pointless.

Lastly, since Hotspot Shield servers have no authentication whatsoever, you can take the Pac file, make a couple of modifications to it, load it via TunnelSwitch and “enjoy” Hotspot Shield without any client side tracking. What they do server side is unknown… ohh wait, it is known, since they got caught injecting ads into your traffic just last year.

This begs a question, why did “The Fastest Most Secure Virtual Private Network” get a $300M investment when all they do is violate user privacy and show that they have no clue about basic security by allowing unauthenticated requests to be made against their servers? Let’s hear it from the partner at the firm that lead the VC round:

So, the same “open sourced” VPN software (OpenVPN), that literally every single VPN provider uses, makes AnchorFree an attractive investment? Why not invest into OpenVPN Inc. instead?

Sujay’s firm is either highly uninformed and has way too much money to burn, or they know what AnchorFree is really up to, and they know that they will profit from it. Considering VC companies rarely throw $300M at things they don’t understand, my bet is on the latter.

Appendix A

When you install HSS, a request is made to Google Analytics, and Quantcast, from your ISP assigned IP address and unique ID of the installation. When you visit any website that has Quantcast or Google Analytics tracking, the requests to tracking js scripts are made from your ISP assigned IP address, since those hostnames are “white-listed” in the Pac file. A profile is created on all your browsing activity which began the minute you installed Hostpost Shield.

Once you are identified as a “Hotspot Shield user #123”, and most sites that you visit contain the tracking pixel of the same company that knows you are a “Hotspot Shield user #123”, this effectively creates a detailed browsing history of some/most/all of your online activity, all the way down to the exact URL you visited.

Granted, you probably had an existing browsing profile to begin with, even before you installed Hotspot Shield, but given their promises of “Security and Privacy”, you have to ask yourself, if it doesn’t make any diffidence, what’s the point of this thing at all?

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *