Apparently PAV scam's can redirect through ads on websites? Daily Tech is suspect atm

[JamesV]

Had a post a while ago, asked about this. Searched and scanned thoroughly... it's still a mystery.

Today get another, from the same site no less - Daily Tech, the Anandtech tech news website. Later that day, follow another link, and got it again. Will be loading the Daily Tech news article, then redirects to a strange URL.

Simple redirect, redirected page pops up a window with a 'you may be infected blah, blah, blah', click this window (can't close browser) thing. I know it's a scam, no big deal.

But, I thought it was on my end, but it is definately something from the Daily Tech site, as tested and proven from my actions today... from java/script in ad banners?

Any way for an end user outside of firewalls/anti-virus/malware to determine something like this is not happening because of some issue on their end? Windows logs do not help; only trying to get redirected again by surfing the same site seems to be repeatable (until now, no issues @ 4AM EST).

 

[Oakenfold]

Had a post a while ago, asked about this. Searched and scanned thoroughly... it's still a mystery.

Today get another, from the same site no less - Daily Tech, the Anandtech tech news website. Later that day, follow another link, and got it again. Will be loading the Daily Tech news article, then redirects to a strange URL.

Simple redirect, redirected page pops up a window with a 'you may be infected blah, blah, blah', click this window (can't close browser) thing. I know it's a scam, no big deal.

But, I thought it was on my end, but it is definately something from the Daily Tech site, as tested and proven from my actions today... from java/script in ad banners?

Any way for an end user outside of firewalls/anti-virus/malware to determine something like this is not happening because of some issue on their end? Windows logs do not help; only trying to get redirected again by surfing the same site seems to be repeatable (until now, no issues @ 4AM EST).

Did you try on another client, is it repeatable on the one machine and not another?
Try it now, I just went to DT and not getting anything weird. Any article in particular?

 

[JamesV]

Just happened not more than 5 minutes ago (note the gjetefa.info loading on the DT page). Go to an article, and randomly get redirected.

Searching didn't reveal much; but I found a post on a RealGM site (sports site) that talks about this, and the moderators said their programmers did something to fix it.

Nothing on my PC from MSE and Malwarebyte scans.

Edit* the realgm link http://forums.realgm.com/boards/viewtopic.php?f=40&t=1208047&start=45

 

[Oakenfold]

Just happened not more than 5 minutes ago (note the gjetefa.info loading on the DT page). Go to an article, and randomly get redirected.

Searching didn't reveal much; but I found a post on a RealGM site (sports site) that talks about this, and the moderators said their programmers did something to fix it.

Nothing on my PC from MSE and Malwarebyte scans.

Edit* the realgm link http://forums.realgm.com/boards/viewtopic.php?f=40&t=1208047&start=45

Not getting a redirect on my end. Did you try accessing from a different computer? Try running Housecall.
http://housecall.trendmicro.com/

 

[JamesV]

Sorry, I'm not installing yet another AV/whatever program.

I've posted my proof and experiences, and if it is only on my end, then I'm ready to endure it and never post about it again.

It could by my system, but these other threads I've found speak otherwise. I've been the programmer searching down elusive and un-repeatable bugs before, and I simply don't have the time nor will to do it here, if that is the case. I've bitched about it twice now, and I appreciate responses but I'm done with it.

Hope nobody else is having issues, and that is my last word.

 

[pandemonium]

Seems like a hijacked redirect.

Have you already tried Rkill and scanning again with Malwarebytes?

 

[SagaLore]

But, I thought it was on my end, but it is definately something from the Daily Tech site, as tested and proven from my actions today... from java/script in ad banners?

Well its actually not from the DailyTech site itself. What happens is that the DT site, as well as thousands of others, use a particular ad provider. That providers sells impressions to many different partners, those partners can then resell, and so on and so on, until you have a rogue advertiser who setups a malicious ad that redirects many times until it reaches a malicious payload (could be fakeav, could be an exploit kit, etc.). When visiting the main site, that ad space could rotate tens of thousands of times until a visitor gets the bad ad.

 

[timbuktu]

Had a post a while ago, asked about this. Searched and scanned thoroughly... it's still a mystery.

Today get another, from the same site no less - Daily Tech, the Anandtech tech news website. Later that day, follow another link, and got it again. Will be loading the Daily Tech news article, then redirects to a strange URL.

Simple redirect, redirected page pops up a window with a 'you may be infected blah, blah, blah', click this window (can't close browser) thing. I know it's a scam, no big deal.

But, I thought it was on my end, but it is definately something from the Daily Tech site, as tested and proven from my actions today... from java/script in ad banners?

Any way for an end user outside of firewalls/anti-virus/malware to determine something like this is not happening because of some issue on their end? Windows logs do not help; only trying to get redirected again by surfing the same site seems to be repeatable (until now, no issues @ 4AM EST).

Just got this on Anandtech itself. Redirect to gjetefa.info. MSE doesn't show anything.

 

[Oakenfold]

Well its actually not from the DailyTech site itself. What happens is that the DT site, as well as thousands of others, use a particular ad provider. That providers sells impressions to many different partners, those partners can then resell, and so on and so on, until you have a rogue advertiser who setups a malicious ad that redirects many times until it reaches a malicious payload (could be fakeav, could be an exploit kit, etc.). When visiting the main site, that ad space could rotate tens of thousands of times until a visitor gets the bad ad.

So how do you prevent it? Is the question at the end of the day is how does DT ensure that it doesn't have malicious code in it's ad space?

 

[SagaLore]

So how do you prevent it? Is the question at the end of the day is how does DT ensure that it doesn't have malicious code in it's ad space?

The only way is to serve static ads from its own site. You can't use external images, js, flash, iframes, etc. or your visitors run the risk of getting a malicious ad impression.

 

[Ryan Smith]

Aww great, just what we don't need.

Well its actually not from the DailyTech site itself. What happens is that the DT site, as well as thousands of others, use a particular ad provider. That providers sells impressions to many different partners, those partners can then resell, and so on and so on, until you have a rogue advertiser who setups a malicious ad that redirects many times until it reaches a malicious payload (could be fakeav, could be an exploit kit, etc.). When visiting the main site, that ad space could rotate tens of thousands of times until a visitor gets the bad ad.

SagaLore is correct here. This would be coming from a 3rd party ad provider we use to fill space when we don't have enough 1st party ads to cover a page view. We use 3rd party ads more on the forums than the main site, but every site pulls from the same 3rd party ad pool in the end.

I'm going to see if I can find the source of these ads and then get the 3rd party who is serving these BBQd by our buddies at LMCD, but to be honest I can't make any promises. If any of you can get these ads to come up, your help would be greatly appreciated. For IE users the built-in dev tools, or for Firefox users the Firebug extension, will allow you to dissect a page and identify the ad network serving up the bad ad. These ads have a very low rate of appearing (*insert RPG analogy here*) so I may not be able to find the source on my own.