So i checked my phone just a second ago and i see this message from a friend on groupme. the only thing is...

so i checked my phone just a second ago and i see this message from a friend on groupme. the only thing is, he's dead and has been dead for 2 years now. i don't know how a spammer could have just gained access to his account but im kind of curious as to the contents of this url, even though it's most likely spam but my inner /x/ is tempting my curiosity

is there a possibility that this URL can lead me to some malicious website? i would run it in a VM but im on my laptop which doesnt have any VM software and im away from home for the next few days visiting family

Other urls found in this thread:

google.se/url?sa=t&source=web&rct=j&url=https://play.google.com/store/apps/details?id=com.airwatch.browser&referrer=utm_source%3Dgoogle%26utm_medium%3Dorganic%26utm_term%3Dvm+android+browser&pcampaignid=APPU_1_PlJNWpPyG-fX6ASB1KLgBQ&ved=0ahUKEwiTicah5bzYAhXnK5oKHQGqCFwQ8oQBCCUwAA&usg=AOvVaw2i_s-mJ_ZSP5_YzJ8Rzkjx
xe--q1aia.xn--p1ai
xe--q1aia.xn--p1ai&usg=AOvVw13uTuuuyg8Dby4MDyzhMDe&eg02ededaq&8
xn--q1aia.xn--p1ai
dietweight4loss.com/?s=gr
en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Internationalized_country_code_top-level_domains
twitter.com/NSFWRedditVideo

...

if i were an /x/tard i would have posted it there but this isnt a roll bread

Gimme the link and ill click it

im worried it could be something personally revealing. im not sure why a phisher would target his account or even have the means to access it/phish it.

There are phone vm services google.se/url?sa=t&source=web&rct=j&url=https://play.google.com/store/apps/details?id=com.airwatch.browser&referrer=utm_source%3Dgoogle%26utm_medium%3Dorganic%26utm_term%3Dvm+android+browser&pcampaignid=APPU_1_PlJNWpPyG-fX6ASB1KLgBQ&ved=0ahUKEwiTicah5bzYAhXnK5oKHQGqCFwQ8oQBCCUwAA&usg=AOvVaw2i_s-mJ_ZSP5_YzJ8Rzkjx

74, 62%, 69, 70%, 02AU1, zhMDe&eg
These are the backed out alpha numeric chars.

At least that's what I could make out.
The last two sets may differ by a few chars.

0vVaw1 for the second to last set
And the last set is right.

how 2 do dis?

Maybe he isn't dead

...

so, what does this link to?

Nice work. Type it out for us.

Damn I just spent time writing out the whole link nice work.
Google.com/url?sa=t&url=%68%74%74%70%3A%2F%2F%78%65%2D%2D%71%31%61%69%61%2E%78%6E%2D%2D%70%31%61%69&usg=AOvVw13uTuuuyg8Dby4MDyzhMDe&eg02ededaq&8

GOGOGOGOGOGOGOGOGOGOGOGOGOGOGOGOGOGO

Here is where the link goes....

Its just a google search for "get rickrolled on son"

its a gay porno they made together nothing to see here move along now

Why would you do that on a phone jesus

the %68...%69 string translates to xe--q1aia.xn--p1ai
So that makes it xe--q1aia.xn--p1ai&usg=AOvVw13uTuuuyg8Dby4MDyzhMDe&eg02ededaq&8

I didn't actually go to the site moron!!
Nor did I click the links!!

>moron
>I didn't click
>link indicates it was clicked
the absolute state of phoneposters

Are we supposed to fill in the dashes?

Did you think no one would figure this out op???
You are a retard!!

Ok ok I clicked it....
But opened it incog- neet-oh

>Google.com/url?sa=t&url=%68%74%74%70%3A%2F%2F%78%65%2D%2D%71%31%61%69%61%2E%78%6E%2D%2D%70%31%61%69&usg=AOvVw13uTuuuyg8Dby4MDyzhMDe&eg02ededaq&8

Nothing

I would interpret his response as embarrassed schoolgirl doing a mistake and not admitting it

Your dead friend had a shitty password. Sorry to be the one to break it to you, thoughts and prayers.

Hit the nail on the head with that one.
I am that user.

no. that's literally what it translates to. see

$ curl -I xn--q1aia.xn--p1ai
Trying 185.158.114.69...
HTTP/1.1 302 Found
Server: nginx
Date: Wed, 03 Jan 2018 22:29:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Keep-Alive: timeout=60
X-Powered-By: PHP/5.6.32
Location: dietweight4loss.com/?s=gr

Any time you see dashes like that it's an internationalized domain. In this case it's russian shit, transliterates as .rf (russian federation). See en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Internationalized_country_code_top-level_domains

tl;dr russians hacked user's dead friend

Looks like an old exploit landing page that broke

can you actually even get infected by simply visiting a site?

Looks to me like a redirect to a diet pills site. The usg in the query string is probably an affiliate code for the hacker to earn commission on any sales.

Yes use wget jailed and download the page

Actually usg is something Google adds, thought to be an encrypted version of the search query.

The dead have risen and they have diet pills for you.