PDA

View Full Version : Malware in ad


LHaven
03-11-2020, 04:22 PM
Admins: Today I am receiving frequent "update your Flash Player" malware solicitations from this forum, with no way to cancel. This is typically a symptom of someone submitting a "poisoned" ad to the pool of advertisements you display.

jsb5717
03-11-2020, 08:06 PM
What browser are you using? I had some weird stuff with Microsoft Edge. I was testing the new version. Haven't had the malware with Firefox or Chrome.

LHaven
03-11-2020, 08:30 PM
I'm using Safari on Apple High Sierra. I had to come to Tapatalk just to answer this post, because as I sit there trying to read it, it doesn't take four seconds for the ad to grab the page and throw me to "gogo.thepowerrangers.com" where one of those phony ads lives. Every time I hit the back key, it throws me back to the malware within about two seconds.

LHaven
03-11-2020, 08:35 PM
I should add that it's not just this forum. I pulled up a particular news item from Reuters (https://www.reuters.com/article/us-usa-guns-chicago/judge-rules-chicago-ban-on-gun-sales-is-unconstitutional-idUSBREA0515J20140107) today that sends me to the exact same malware within about 20 seconds.


UPDATE: The only extensions I run are 1Password (which I've run forever) and Honey (which I just added, but I verified that I still get the same bad behavior when it's not running).

hankpage
03-11-2020, 09:08 PM
LHaven, One of our moderators had a similar problem yesterday that went away when he logged out and then back in. The rest of us have not seen anything out of the ordinary so we are kicking it up to the admins to see if they have seen this on any of their other forums. Didn't want you to think we were not paying attention to your problem. Travel safely, Hank

P.S. I have recently added Honey also but have not had any problems.

LHaven
03-11-2020, 10:19 PM
I thought I'd include one of the resulting URLs just in case. It has a lot of trailing parameters that may help you identify the offending ad. (For heaven's sake, don't click on it.)


https://gogo.thepowerrangers.com/0d09f9d8-90dd-4dd5-8b2c-2031e317fb90?aff_sub2=d361f4b4-92a1-425a-98c1-b8a2132d9ec5_1583993400&aff_sub3=MEDIAMATH-MO&ssp=ruc&aff_sub4=728x90&aff_sub6=keystoneforums.com&domain=keystoneforums.com&domain_id=e2f4d5c200a2fff5ee29029cf18ae0f9&campaign_country=US_OSXSF_MNST_WIFI_POP

gkainz
03-12-2020, 04:00 AM
I believe you have a browser hijack on your computer (yes, it can happen on Mac/Apple stuff, too). Iím on a Mac or iPhone most of the time.
Download malware bytes and let it run a scan. Or google gogo powerrangers hijack for removal instructions.

fatcatzzz
03-12-2020, 05:15 AM
May be a man-in the-middle attack. You can google it. Reestablish a web connection to a known secure web connection and see if this still happens with ads. If ad goes away, your connection is being hacked. This is common with public wifi connection. Just my 2cents.

LHaven
03-12-2020, 07:15 PM
For general information, I'm reasonably experienced with this stuff (http://macsrwe.com). I disinfect other people's machines daily. I'm also pretty confident about the security of my town's Internet service, because I built it.

I run Malwarebytes regularly. It finds nothing. I have cleaned out all the Launch*s, Startups, Plugins, site cookies, etc. It doesn't make a difference. None of that has helped this particular problem.

Other Apple users are describing the same symptoms (https://forums.macrumors.com/threads/safari-wants-to-update-adobe-flash-but-only-when-visiting-cnn-dot-com.2224769/post-28252711). Only Safari, only certain websites, tied to ad deliveries. But on some big name websites (that I rarely visit) like CNN and NYT. Wordpress sites are implicated (https://en.forums.wordpress.com/topic/malware-warning-of-unsafe-wp-site/), visibly serving up the same ads as the Keystone Forum, CNN, etc.

I have the bogus site redirected to 0.0.0.0 in my hosts file to avoid the phishing page, but I still can't spend more than five seconds on a Keystone forum page that serves ads before I get hijacked to a "can't connect to URL" screen. (Conversely, I can spend forever on my profile screen because there are no ads there.)

Looks like I'm going to have to resort to Tapatalk and Firefox until the ad delivery aggregation company gets its act together.


UPDATE: I strongly suspect the reason that Firefox isn't being victimized by this is because it is apparently blocking all the ads!

jsb5717
03-12-2020, 09:57 PM
I'm on Firefox right now and there are the usual ads present to the right of this section as well as intermingled in the thread.

As I said, I experienced what you described in MS Edge so I quit using it. So far no problem with FF.

gkainz
03-13-2020, 06:33 AM
I'm in IT, too and one of the sad sayings (internally) we have when closing a request that we cannot duplicate is "I'm sorry you're sitting in the dark, but the lights are on in my office" :)

Hope that doesn't sound denigrating, just commiserating! I'm using Safari (a little), Chrome mostly and haven't experienced what you're seeing while here or elsewhere.

Good luck with chasing this to ground and killing it! Would be interested in hearing what the resolution turns out to be.

Janet H
03-13-2020, 04:00 PM
Thanks for the reports. we believe this is likely a bad ad being slipped in occasionally (or maybe more than one). Any urls you can supply are helpful.

For safari users especially the update your flashplayer notices are annoying. I recommend running malwarebytes (free) to clear your machine of unwanted malware.