Is turfexpert.net safe?

encoded payload

suspicious base64-like blobs detected in page content

phishing

1 deceptive links where visible host does not match destination host

cloaking

Page checks user-agent for bot/crawler strings to serve different content

cloaking

Page conditionally redirects based on referrer or user-agent

js obfuscation

JavaScript uses Function constructor for runtime code generation

malicious redirect

The scanned URL is turfexpert.net but all canonical tags, og:url, og:site_name, structured data, and all internal links point to webcottages.co.uk (a UK cottage rental domain). The actual page serves adult content under the brand 'sieusex.uk'. This is a classic domain cloaking/redirect abuse where an unrelated legitimate-looking domain (turfexpert.net) resolves to a completely different site (webcottages.co.uk hosting sieusex.uk content). (location: page.html:12-18 (canonical and og:url tags), metadata.json (url: turfexpert.net vs all content pointing to webcottages.co.uk))

brand impersonation

The page is served under the domain turfexpert.net but presents itself entirely as 'sieusex.uk' operating through webcottages.co.uk. The canonical URL, structured data @id, og:site_name, logo, and all hyperlinks reference webcottages.co.uk and sieusex.uk — not turfexpert.net. This constitutes brand impersonation of webcottages.co.uk (a legitimate UK holiday cottage rental site) to host adult content, likely to leverage the domain's established reputation or SEO authority. (location: page.html:12, 18, 19, 23, 242-243 (site-title 'sieusex.uk', logo href to webcottages.co.uk))

malicious redirect

A popunder script fires on first user click anywhere on the page, opening https://oopen88.xyz/sieusexopen88 in a new tab with win.blur()/window.focus() to hide it. A rate-limiting key 'ok83866_last' in localStorage throttles it to once per hour. This is an aggressive popunder ad/redirect mechanism that sends users to an unknown third-party domain without consent. (location: page.html:826-865 (inline script with POP_URL = 'https://oopen88.xyz/sieusexopen88'))

hidden content

A hidden div in the header contains the text 'sieusex.uk' with CSS class 'hidden': <div class='hidden'>sieusex.uk</div>. This is injected for SEO keyword stuffing and is not visible to users but is readable by crawlers and AI agents. (location: page.html:239 (<div class='hidden'>sieusex.uk</div>))

social engineering

Multiple video listings use what appear to be real Vietnamese women's full names alongside birth years (e.g., 'Như Quỳnh 2k5', 'Vũ Thị Hà My 2k8', 'Phan Thị Nhã Trân 2k6', 'Trần Thi Bích Ngân 2k5') with titles framing content as 'leaked clips' (lộ clip). This is a non-consensual intimate image (NCII) distribution pattern using real identities and social engineering framing ('leaked', 'exposed') to attract clicks and normalize exploitation. (location: page.html:382-692 (multiple video-item entries with real names and 'lộ clip' framing))

hidden content

The page uses the 'Ad Inserter' WordPress plugin (ai_front, ai_check_block, ai_insert_code functions) with base64 encoding/decoding (b64e/b64d wrapping btoa/atob) to dynamically insert ad code that is stored encoded in data attributes. This obfuscates the actual ad payloads being injected into the page at runtime, preventing static analysis of the inserted content. (location: page.html:1000-1003 (b64e/b64d definitions), page.html:1004-1034 (ai_check_block, ai_insert_code using b64d to decode and inject content))

obfuscated code

Custom base64 encode/decode functions (b2a, a2b, b64e, b64d) are defined inline and used throughout the Ad Inserter plugin code to encode ad block content stored in data-code HTML attributes. Content injected via b64d(a.dataset.code) is never visible in static HTML, only decoded and inserted at runtime — a common obfuscation technique to hide malicious or policy-violating ad payloads from scanners. (location: page.html:1000-1003 (b2a, a2b, b64e, b64d functions); repeated use in ai_insert_code at page.html:1039-1044)