snopes.com

snopes.com (http://message.snopes.com/index.php)
-   Technical Questions (http://message.snopes.com/forumdisplay.php?f=56)
-   -   Dodgy fake Firefox redirect with video update warning (from an advert?) (http://message.snopes.com/showthread.php?t=89531)

Richard W 25 May 2014 10:55 AM

Dodgy fake Firefox redirect with video update warning (from an advert?)
 
I've had this redirect several times over the course of a week or so - most recently when clicking the "shooting rampage" thread, but it's not always the same thread and it's not consistently redirecting from any given thread.

I am using Firefox, and it's pretending to be Firefox, but clearly isn't:

http://i9.photobucket.com/albums/a97...psefbab5d4.jpg

Possibly some dodgy script sneaking in on an advert?

Richard W 27 May 2014 09:28 PM

Here's another one - also from the "shooting rampage" thread, but a different URL and claiming to be something to do with Java:

http://i9.photobucket.com/albums/a97...ps6e9e7428.jpg

I'm getting these fairly frequently on two different machines... am I the only person who's seen them? It looks a fairly serious security issue to me...

jimmy101_again 27 May 2014 09:35 PM

I've not seen either of those here on snopes. Perhaps you picked up a virus and it is throwing those pages at random?

Richard W 27 May 2014 09:42 PM

No - two different machines, and it only happens on links to threads on this board. My virus software is up-to-date and no reported problems. (I'm running a full scan now to make sure).

jimmy101_again 27 May 2014 10:08 PM

Figure 99% chance it is your computer(s) and 1% chance it is actually snopes.

Might be time to clear your cache, cookies and autofill for messages.snopes.com. Also check your plugins list for ones you don't recognize.


hijack-- (of the thread, not your browser :p )
Anyone else notice that since Google redid their search algorithms last summer the quality of the results has significantly decreased? Searching for things like "outdated java plugin hijack" in google now returns almost nothing but crappy web sites like ask.com or anvisoft.com. Often those pages are auto-generated pages that don't really contain any useful information. Or, they want you to download software (of dubious reliability). :mad:

Richard W 27 May 2014 10:39 PM

Personally I'd say the reverse, since it's rather unlikely that exactly the same issue, which only manifests itself as a redirect when clicking threads on the board (what would "autofill suggest" have to do with that? I'm not typing the links by hand), would manifest itself at the same time on two unrelated computers, both of which have good independent virus protection (different systems), and neither of which has shown any other symptoms or problems, but still... that's why I posted here to see whether others had seen it.

jimmy101_again 28 May 2014 09:47 PM

Still though, the common thing between your two reports is you, and others are not, apparently, seeing those pages.

Maybe the virus is in you and not your computers. :p

Richard W 28 May 2014 10:55 PM

Maybe, especially as nobody else has apparently seen it!

But I did a full virus scan, cleared all the caches on both machines and I'm still seeing it - mostly only on the one thread, as well (Shooting rampage that killed 7 near UCSB planned, authorities say)... I said in my first post that I'd seen it on other threads, but I'm not sure about that now. Since I posted that, the shooting rampage thread is the only one I've seen trigger it. Not every time I look at the thread, but each time it's happened, it's when I've been trying to open, reply to or change pages on that thread.

ganzfeld 28 May 2014 11:09 PM

I tried to replicate but couldn't. I don't think it's 99% your end. I think probably more like 5% yours 95% the boards since this has happened with ads many times before and if you had that particular adware/malware you'd probably know it in other ways in addition to catching it on the scan. Problem is, though, the ads are becoming more and more targeted (I get ads for Japan) so it's going to be hard to find out by which route it's coming. If I were you, I would consider running with JavaScript off at least for the time being just so you don't inadvertently click one of those.

jimmy101_again 29 May 2014 07:01 PM

You cleared your cache but you also might try clearing your browser's cookies and history.

overyonder 29 May 2014 07:29 PM

Based upon the website it wants you to go to, and the error messages, it appears that you have the "lpcloudbox329.com" virus.

The manual removal method from this website appears safe to me. No guarantees on my part though.

OY

Richard W 29 May 2014 07:57 PM

Quote:

Originally Posted by jimmy101_again (Post 1824387)
You cleared your cache but you also might try clearing your browser's cookies and history.

I did...

I'm fairly sure I've not got a virus. I ran a full virus scan a couple of days ago, and this has affected apparently only a single thread on this board and no other sites, on two different machines at the same time - both of which have current (but different) virus protection, and neither of which have shown any other symptoms.

But I just checked the Firefox add-ins and there's no sign of the cloudbox add-in, or anything else that I wouldn't expect to be there. I can't see any dodgy-looking processes running in Task Manager either - although it's always hard to tell these days...

ganzfeld 30 May 2014 01:46 AM

Why would the virus be prompting you to click to update anyway? That's how the virus gets in. Once it's in there's no reason for it to hijack ads. I didn't see where you said you clicked on one of the dodgy ads so I'm a bit confused as to why people think you have a virus.

GaryM 30 May 2014 02:03 AM

I used to see that Java one quite often, and on a few different websites. Did all the usual virus scans, browser clearing etc. but I kept seeing it. Recently though, my anti-virus (Avast!) has started popping up a message saying that it has blocked a malicious file, and I no longer see those dodgy Java pages.

Dancer 30 May 2014 06:41 AM

I have had the same things pop up. I use Chrome and the security settings in Chrome blocked the attempted download to my computer. I also had the Java screen pop up the same as shown in this thread. While I may not have been on the shooting page, it was open and in the background (on a different tab in Chrome.)

Nothing since my last reboot about five hours or so ago. I was actively engaged in a different message board on a MLB team's web site. Snopes message board and facebook were both open in different tabs when these screens popped up.

I am not sure if this helps but at least you are not alone in this Richard.

Richard W 30 May 2014 08:38 AM

Thanks, I knew I couldn't have been the only person to see it!

I'm not sure exactly what can be done about it (other than turn off javascript on our end, as ganzfeld suggests) since it's probably a scripting thing in an advert, and I guess there's not much control on snopes's end over how those are displayed... besides, as long as nobody is fooled by it and clicks, it's only a minor annoyance.

I've not seen any attack warnings or malicious file download warnings associated with it.

GaryM 30 May 2014 05:40 PM

Was just browsing the Snopes board and my anti-virus reported that it had blocked a suspicious file from hxxp://91.218.115.42/ukgbb.php?inh=8412

jimmy101_again 30 May 2014 08:53 PM

Quote:

Originally Posted by ganzfeld (Post 1824468)
Why would the virus be prompting you to click to update anyway? That's how the virus gets in. Once it's in there's no reason for it to hijack ads. I didn't see where you said you clicked on one of the dodgy ads so I'm a bit confused as to why people think you have a virus.

In order for a popup to overlay the main screen requires some dodgy coding. Often that coding is in a virus. So you can have a virus, and it is the virus that allows that particular popup's behavior. Similar to browser hijacks in which suddenly you can't get to Google, or to virus/malware removal sites. They can be pretty hard to get rid of and they are not always detected by good antivirus/antimalware programs.

Richard W 30 May 2014 09:04 PM

No, often that code is in a piece of script that's been injected into the web page somewhere. (In this case, most likely in an advert). To me, "a virus" implies something that's installed and running as an independent process on my machine - not something that's on the web page and running in the browser as long as I look at that page.

Maybe we mean different things by "a virus", but you did say that you thought my machine might have a virus, whereas in my terms it's the web page that has "a virus" (and it's not a virus).

jimmy101_again 30 May 2014 09:21 PM

Sometime the two things (web page with code and a resident virus or hijack) are working together. You can close the web page but the hijack/virus/malware is still present and will show up again.

Or, a browser hijack will redirect to a web page that attempts to install a virus or other malware.

A browser hijack looks like it is coming from outside but is actually 100% resident on your computer. Antimalware software often doesn't detect browser hijacks.

Edit: But I think you are probably right, this particular thing is some dodgy web page code that has slipped into some companies add stream and is being propagated to snopes.


All times are GMT. The time now is 07:02 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.