5

I'm having strange issues using Chrome Version 65.0.3325.181 (Official Build) on PC (Win 7) and OSX (10.11.6) on different systems.

Clicks are often being hijacked taking me to different sites (often gambling ones). Or alternatively, clicks are being filtered through redirect domains. This is happening on websites that I am logged into (some of which, worryingly, contain real-money wallets) as well as Google.

Two examples:

  1. The most common one. I click a link. So fast that I don't even notice it, the click goes through an intermediate redirect URL. I only see this even for a fraction of a millisecond if for some reason the redirector is slow or breaks. e.g. clicking a link in google for a bike part takes me to the website but via

    https://datds.net/replacement/click?place=1234&subid=abcd1234&href=http%3A%2F%2Fwww.chainreactioncycles.com%2Fbmc-sl-048-straight-edge-carbon-fork%2Frp-prod106545&replacement=5292&url=https%3A%2F%2Fwww.google.co.uk%2Fsearch%3Fhl%3Den%26ei%3DoW7WWtWpFuebgAbG4bGQDA%26q%3DBMC%2BCarbon%2Bfork%26oq%3DBMC%2BCarbon%2Bfork%26gs_l%3Dpsy-ab.3..0j0i22i30k1.7400.7933.0.8178.5.5.0.0.0.0.205.398.1j1j1.3.0....0...1.1.64.psy-ab..2.3.398...0i22i10i30k1.0.qtLNgCu6_XE

    The place and subid query parameters are the same every time, I'm not sure about the rest.

There is another domain I've seen a few times which is r.srvtrck.com.

  1. Less frequently, I'll click a link on a site or on google and be taken to a completely different site. Again, it seems to be done through a redirect domain first and often sends me to gambling sites with affiliate information included in the URL. An example with be sending me to https://mostmgb.com/?cid=85450330.

This only happens a small fraction of the time and I can't find any pattern with linked-to or linked-from sites.

I've run Malwarebytes and checked the extensions on both systems and can't track down the issue on either. HOSTS files on both systems are clean and I'm not being led through any proxies.

Turkeyphant
  • 181
  • 1
  • 8
  • 1
    This sounds like malware... If it's the same on multiple computers, then it's probably the router that is infected. Have you tried connecting to the internet through some other connection, e.g. your mobile, and see if the problem persists? – Anders Apr 19 '18 at 11:39
  • Not noticed it on other computers nor from other users of the network. DNS on router seems fine and I haven't experienced it using other web browsers on the same devices. How else can routers get infected? FWIW, I have high entropy passwords on all my devices including the router admin panel. The thing about it be adware/malware/affliliateware is that I was surprised there were no comments regarding the domains in question from other users that I could find online. Since they seem to be using domains rather than IPs, could I not just HOSTS them to home too? – Turkeyphant Apr 19 '18 at 16:13

4 Answers4

4

Well, your symptoms tell me that this should be a sort of adware program. I mean all these hijacked links and ending up on these random websites are certainly signs of an adware-like infection. It is one thing that Malwarebytes didn't find anything related to this. I wouldn't give up there. I would scan my system with Adwcleaner or any other free or trial version of reputable antimalware software you can trust. On top of all this, I would also reset my browser(s) on a just in case basis. I hope this makes sense and helps solve your issue.

PC4Life
  • 41
  • 1
  • How does resetting a browser like Chrome work when I am typically signed into a user account that replicates settings and extensions across devices? The thing about it be adware/malware/affliliateware is that I was surprised there were no comments regarding the domains in question from other users that I could find online. Since they seem to be using domains rather than IPs, could I not just HOSTS them to home too? – Turkeyphant Apr 19 '18 at 16:13
4

I had a similar thing happening, and realised that it was happening only when I had a particular chrome extension enabled - one for downloading private vimeo videos locked for download. Extension removed = problem solved

alphavictor
  • 41
  • 1
  • Do you remember the name of the extension? Is it still on the chrome app store? – Turkeyphant Sep 11 '18 at 19:05
  • Sorry, I don't remember the name of the extension. Tried the vimeo download extensions currently available on the Chrome store just now, but couldn't recreate the issue. – alphavictor Sep 16 '18 at 20:17
  • In my case it seemed to be "Downloader for Instagram" that would inject URLs like r.svrtrck.com - haven't seen the rogue URL for an hour since removing. – Ekus Nov 25 '18 at 04:27
3

I'm 90% certain the guilty party was a Chrome extension for bulk downloading images. I have since removed it and can't remember exactly which one it was but I reported it to Google and assume it has been taken down now.

With dozens of extensions and with symptoms not happening massively frequently or predictable, it was obviously a slow process to work out which permutations of extensions caused the issue.

The worrying thing was adware software such as Malwarebytes and Adwcleaner didn't find anything related to this. And that it propagated to all my systems as Chrome accounts sync extensions.

Turkeyphant
  • 181
  • 1
  • 8
-1

I just removed half of extensions and problem gone.

The issue is that some software may infect, or completely replace extensions you downloaded from the Chrome Web Store. Try to remove and reinstall extensions (especially remove extensions from random developers, I often found malware there).

If you are on Windows you can also run Adware removal tool (like adwcleaner) so this will never happen.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Gleb Sevruk
  • 109