Ads redirecting android phones to malicious sites

[fralexandr]

Yeah i've had a few instances on desktop where avira has blocked the page from loading due to security risks.

I liked anandtech because it wasn't riddled with advertisements, had a good layout, and a clean design... a lot of other tech sites failed at one or more of those.

 

[lupi]

Had it happen again, first the page tried to open https://cloudatt.com/60be3237-f24a-4d1d-a2df-ac57b316143b and then it attempts to open to the malware site.

 

[CrackRabbit]

Had it happen again, first the page tried to open https://cloudatt.com/60be3237-f24a-4d1d-a2df-ac57b316143b and then it attempts to open to the malware site.

This is the site I am being redirected to in Chrome in iOS 10. I've started using Adblock browser, but for some reason I can't seem to log in when using it.

 

[lupi]

Just loaded up at page for first time today, got same redirect from art cloud site then to a slightly different makwatlre up with same corrupted by virus install me message.

 

[fralexandr]

Still happening on galaxy s7 android 6 chrome...

Was redirected to unidingcom.com and bkwuzhouc.pw

 

[Fardringle]

It amazes me that this is still an issue. If the ad company won't fix the problem, turn the ads off completely until they do, it until you find a better ad provider.

 

[jpishgar]

Hey there all,

This issue has been escalated, and our team is actively and aggressively hunting down the source of the problem. Unfortunately, this is an issue which has afflicted a number of sites and active forums on the internet lately and narrowing down the root bad actor in the ad network is challenging. Our engineers are investigating possible solutions and tools we can apply to the problem.

We can fix it quicker if you help us do so. If you encounter the problem ad, don't close the page - but please immediately contact Asst. Community Manager Josh Simenhoff at jsimenhoff@purch.com, and you'll be asked for some information to help us find the needle in the haystack here.

Thanks for your patience in this, guys, and hopefully we can get the issue squared away before too long.

-JP

 

[UsandThem]

I personally haven't had the pop up/redirect since my new phone (S7 Edge) was updated to Nougat. My old phone (ZTE Pro Max) was running Marshmallow. I use Chrome as my browser.

I'm not sure if it's connected or not yet, just a FYI to see what others are experiencing on their end.

 

[lupi]

Just had it occur again. This time the secondary redirect site was to a different up name.

Don't have the window still open as it keeps vibrating my phone habit have the sites saved in my history.

 

[lupi]

First 2 times I tried connecting today gave me the pop ups.


This was the final redirectpage.

http://us.dewulanhaotec.pw/sadd/0_index0.php?model=Galaxy S7 Edge&brand=Samsung&osversion=Android 7.0&ip=172.58.201.96&voluumdata=BASE64dmlkLi4wMDAwMDAwMy0yYmVjLTRjOTktODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjA4NmY0ODAwLWZlYzItMTFlNi04ZWZmLTEzMzNlZmVmODk0YV9fY2FpZC4uNjdkYjU4MmMtZDk5MS00YmUyLWI3NjMtNWQzYmNhNmNjOGViX19ydC4uUl9fbGlkLi41ODI2MjUzZC03YzM4LTRhNGMtYmExMi04MTcyYjViMmYyNjZfX29pZDEuLmY5MmEyMzZjLTAyOGItNDM0Yy05OGRiLTBjMzUwYzdkZjM0NV9fdmFyMS4uMzI0Nl9fdmFyMi4uMF9fcmQuLl9fYWlkLi5fX2FiLi5fX3NpZC4u&PREFIJO=3246&PUBID=0&clickid=1488403208mb21041336463#b

 

[UsandThem]

I personally haven't had the pop up/redirect since my new phone (S7 Edge) was updated to Nougat. My old phone (ZTE Pro Max) was running Marshmallow. I use Chrome as my browser.

I'm not sure if it's connected or not yet, just a FYI to see what others are experiencing on their end.

Well I can throw out it being a Marshmallow issue because today when I was out I went to Anandtech using my mobile network, and I got hit with the redirect. Since I wasn't home, I couldn't snap a picture of the page it loaded, but it was the same I experienced on my ZTE phone.

But this was the hijack address in my Chrome history (I'm changing the w to a * in the first line so somebody doesn't accidentally click a live link)

http://us.bqxiamenc.p*/sadd/0_index0.php?model=Galaxy S7 Edge&brand=Samsung&osversion=Android 7.0&ip=66.249.88.44&voluumdata=BASE64dmlkLi4wMDAwMDAwNC0zOWJmLTQ0MDUtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLmQxMTRhMDAwLWZmODItMTFlNi04N2EwLTk4YmVlN2Q0OTRlZV9fY2FpZC4uNjdkYjU4MmMtZDk5MS00YmUyLWI3NjMtNWQzYmNhNmNjOGViX19ydC4uUl9fbGlkLi41ODI2MjUzZC03YzM4LTRhNGMtYmExMi04MTcyYjViMmYyNjZfX29pZDEuLjk0MzYyNzBjLTUxMzgtNDBiZS1iMTcyLTFjOWExMDc5OTVjZV9fdmFyMS4uMzI0Nl9fdmFyMi4uMF9fcmQuLl9fYWlkLi5fX2FiLi5fX3NpZC4u&PREFIJO=3246&PUBID=0&clickid=1488486518mb14974036108#b

 

[lupi]

Haven't had an occurrence in a good week or so, but just got hit now with one.

 

[fralexandr]

Haven't had an occurrence in a good week or so, but just got hit now with one.

Same. Got one yesterday on the forums, and I think I just got one while browsing the anandtech main site, unless it can redirect a seperate chrome tab...

 

[UsandThem]

Just a FYI for anybody who wants to try this out and see if it works out for them as well, but after getting hit with similar redirects on other legitimate sites, I downloaded Firefox (mobile) and Adblock Plus from the list of add-ins about a week ago, and I haven't been hit with anymore since then. I prefer using Chrome on my phone, but if not using gets rid of those annoying redirects I can live without it. I wonder if their is some type of exploit in Chrome. Too soon to tell right now, but I hope it continues to work.

 

[jsimenhoff]

Any redirects other than the one from two days ago? Right after you all sent your reports we were able to catch another malware redirect and got it blocked at 5PM EST.

Thanks for your assistance everyone.

 

[lupi]

None since.

 

[lupi]

Had set my phone down after switching forum pages and when I picked it back up I had the my phone corrupted by virus redirect page up again.

 

[jsimenhoff]

Wow, that's unfortunate to hear. I thought this issue had been resolved. I'll report back to our team. Thank you.

 

[CrackRabbit]

Wow, that's unfortunate to hear. I thought this issue had been resolved. I'll report back to our team. Thank you.

This still isn't resolved, happened again tonight as I was browsing on Chrome in iOS, same cloudatt redirect, but this time to a "you won $1000" site. Back to Adblock I go.

 

[jsimenhoff]

I've once again escalated this issue and notified the Director of Community. We are actively and aggressively looking for the cause of this issue. I know the team has already sent out requests to block this ad and its source. We have also set aside engineers to investigate more immediate solutions and tools we can use to fix this problem.

If you encounter the problem ad, don't close the page - but please immediately contact me, Asst. Community Manager Josh Simenhoff at jsimenhoff@purch.com.

Thank you

 

[CrackRabbit]

I've once again escalated this issue and notified the Director of Community. We are actively and aggressively looking for the cause of this issue. I know the team has already sent out requests to block this ad and its source. We have also set aside engineers to investigate more immediate solutions and tools we can use to fix this problem.

If you encounter the problem ad, don't close the page - but please immediately contact me, Asst. Community Manager Josh Simenhoff at jsimenhoff@purch.com.

Thank you

And the redirects are back. Josh I sent you an email with as much pertinent information as I had.
Just a heads up to any one else that encounters this.

 

[Phelot]

Usuable on Android today; constant hijacking to a vibrating ad.

 

[VirtualLarry]

There are problems with some of the desktop ads now as well. Over the last few days I have noticed several of them trying to install invalid/revoked security certificates on my PC. The certificates are coming from search.spotxchange.com and the ads are so persistent that once they show up it's impossible to do anything except shut down the browser since they continually retry the certificate installation when it is rejected. I wouldn't be surprised if many forum users are now "trusting" this spam source without even knowing it..

I did not realize that malicious ads can try to install security certificates. Is there a way to block this with Waterfox or Firefox? I also now run Ublock Origin to get rid of the ads, because the video ads are so obnoxious, that my browser accumulates 6GB of RAM usage in like an hour, and after 2-3GB, it starts getting sluggish and unresponsive.

ALSO!

I've noticed, on several of my machines, sometimes when I reboot, a bunch of Command Prompt windows popping up and disappearing. There are a few thread in the OS forums, about NV drivers and MS Office Update doing that, but on some of my machines, I only have Intel graphics, and no MS Office installed.

It HAS occurred to me, given the number and frequency of ad-related issues, especially the mobile version, but as you noted, also the desktop version, that this site MAY BE SERVING MALWARE.

The other possibility, is Skype. I leave that running in the background, and it runs Flash Player-based ads constantly. I've caught the Skype client, with an ad, that was trying to push a "Flash Update", and when I woke the machine up, it was sitting at a File Save dialog box.

So, things are afoot, probably malware. I've noticed some strangeness with my Ebay and Paypal accts too.

On all of my main workstations, I don't surf "dangerous" sites, I don't download anything from anything but their official sites. I only really visit AT, Newegg, Ebay, Amazon, SuperBiiz, DistroWatch, and a few others.

Yet, I'm very concerned that they (my machines) were "compromised" somehow.

 

[Ryan Smith]

If any of you guys are regularly getting malicious ads on an iOS device, please give me a holler. We have some new tracking tools, but as this stuff is heavily random, I can't always trigger it on my end.

 

[brian rossi]

Hi Ryan,
I mentioned you on twitter as I'm trying to get an email address for you. I work for a media company experiencing similar issues and was hoping we could be of help to one another.
Thanks.