Anyone interested can check the full HTML source here. We're pretty sure that the HTML we prompted ChatGPT with does not contain a malicious script: rather, it looks like the attributes of an ivory/champagne coloured (and possibly Japanese) dress for sale on an e-commerce website. The forbidden tokens seem to make GPT a little bit paranoid.
I think that here ChatGPT was actually (mostly) correct -- the code above this HTML is indeed malicious. I have manually cleaned up it myself, it's on pastebin here.
It is just a simple (but quite obfuscated) script, that checks if user has visited the page via a search engine (via checking document.referrer), if user has not visited the page in last 3.5 days (via setting a cookie), and if so, it injects an extremely-probably-malicious script from a domain 'https://storageofcloud.men/jp-shmotki.php?&query=' + some query. There are 10 different code snippets on that page -- they differ a bit by obfuscation and what exact query is used (all probably-Google Translated "clothing search queries" in Japanese, ranging from wedding dresses to Naruto, posted them here).
Interestingly this URL includes a Russian colloquial word "шмотки"/"shmotki" (a bit negatively-collocated word meaning "clothings").
I checked "storageofcloud.men" domain historical WHOIS records and it seems like it existed in April 2018 -- April 2023, and so on the moment of writing this post in February 2023 it would've existed for two months more, so the payload could've been downloaded and investigated itself then :-)
I think that here ChatGPT was actually (mostly) correct -- the code above this HTML is indeed malicious. I have manually cleaned up it myself, it's on pastebin here.
It is just a simple (but quite obfuscated) script, that checks if user has visited the page via a search engine (via checking document.referrer), if user has not visited the page in last 3.5 days (via setting a cookie), and if so, it injects an extremely-probably-malicious script from a domain 'https://storageofcloud.men/jp-shmotki.php?&query=' + some query. There are 10 different code snippets on that page -- they differ a bit by obfuscation and what exact query is used (all probably-Google Translated "clothing search queries" in Japanese, ranging from wedding dresses to Naruto, posted them here).
Interestingly this URL includes a Russian colloquial word "шмотки"/"shmotki" (a bit negatively-collocated word meaning "clothings").
I checked "storageofcloud.men" domain historical WHOIS records and it seems like it existed in April 2018 -- April 2023, and so on the moment of writing this post in February 2023 it would've existed for two months more, so the payload could've been downloaded and investigated itself then :-)