Our great sponsors
-
mitmproxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
cid= is common for campaign identifiers. Might also be "channel". This might not be a CNC system but ad fraud.
Using a coffee shop is a great idea, but perhaps one further away from Tyson's Corner since there are a lot of IP addresses there used by netsec people and servers, so they are on a lot of blocklists.
Sometimes the script is looking for special cookies when injecting onto sites like amazon, so I used to use gift cards to buy stuff on amazon on my testrig when examining some malware, and I would get much more interesting ads than without.
Also: Be careful when recording your SSL traffic (with something like MITMPROXY), since ad guys know about this: https://github.com/mitmproxy/mitmproxy/issues/4575 but a lot of netsec people forget about this.