0

Recently I have observed strange behaviour. At certain times, on certain web pages, if I click anywhere in the page a tab/popup opens with ads.

First I thought some Chrome extension might be doing it. Then I observed the same behaviour once or twice in the iPhone Safari browser, connected to the same WiFi network.

I couldn't figure out what might be the source of this malware.

Following is the screenshot of such an adware. I am one of the developers of this site and there is no code which pops up this ad! I have also observed the same adware on the https://underscorejs.org/ website few months ago.

Screenshot of Adware popup

EDIT 10 Aug 2018:

I found a few more details. I observed chrome dev tools that some special cookies are being set which tracks of add details.

Here are cookies details

Name: GL_GI2 
Content: eJw9i80KgkAYRafRLI2CC75GhiG67mcjymx8AJn0Q4bEGdRFvn2Z0e6ew7mMMe574MpgH4ZJcI6SIIyDKIbVkAZPBZyeGqU78OyC3bLLSteEdSqOH2dXapywyWT%2FlK2EO%2BMSeHPw05YaDOxrIXK4HY3lYIhquDf5aOl0L3Ic%2FvZ7dlbYqqE0vX5NDnsDnrkt2g%3D%3D
Domain: decademical.com
Expire: 2018-08-11T10:54:54.734Z


Name: GL_UI
Content: eJw9jb1ugzAYRYkJhDYK0pV4AB4hiesGxqpz1aFLN%2FSB7YQW%2BCLb%2FXv7Wh263HuGI50kSUS1RfpBCvWpsaRlK4%2BtHqy06mibZuhJ3Slr5EG1uBl9F6ifTFgj6x0teodsZm2mHTa94y9vXJVivdBskD9eHMfPZnpjB3F%2FijguEVd7CPZVWuYonmion1%2Fq17KAOOzL27gS2%2BtEwbKbu1HnAtnZkTZYPaAYKJgzux9stPHvga8AT7r79%2F%2FKKftv5Np8jkPMc7gY9wvOET7Q
Domain: decademical.com


Name: glx_pp_6922_201813106
Content: {"unload_time":1533898446,"loaded_time":1533898494,"click_num":1,"last_fired_time":1533898502,"last_fired_click_num":1,"pop_count":1}
Domain: actual server

On second ad run
{"unload_time":1533898845,"loaded_time":1533898494,"click_num":2,"last_fired_time":1533898811,"last_fired_click_num":2,"pop_count":2}

Ad link: http://eyelk.asikol.space/AwGN4beM8OWuzuKSlBpN9O-NZYk3UlcNaezbNeYqCieDHrHC_pbybl-LDimE9wNvfVGvWLLrDwMcjtoVTQbXswcsFIqiAn54oKkEVWFJndHO1A==?fgpymyn=AwHhIO8IaCOI49EVKpE8ks7a2hgiHREIaZ0kBxaUVREVagW40G9Zf-CoJ49EkB7rfkji4Vy2bFVx7vekUCU5lxGUO8cZaExCqtiXjJQZB9ri-McX3CKOthishYn_FgfwpanP9uYIPZEcvEcwKufTgD-xZigeUw1EvV5_Q_bJ6J7anbSK2uK3d11CKurZQlDNQeG0uuZDDBQ6q9JJOw58MOCZ8CiKYlcgI44UTOeAaDtIZnsTaKFi9pTzD3R1NTbO4s7Lhji55sL0Mo65qRKD7XBG

Anji
  • 109
  • 3
  • Besides WiFi hijack , this can be some sort of malvertisement that make use of the tracking cookies(you mention "certain site certain page"). – mootmoot Aug 09 '18 at 14:15
  • What router are you using for your (I suppose) home network? I heard about some routers doing this. Can you check, if this behaviour can be observed on a device, which is capable of using a different internet access? If it continues, leave your home network and try using the other access method. Does it still continue? Just trying to locate the source. Something seems to intercept your traffic. Are HTTPS sites affected? – GxTruth Aug 10 '18 at 06:50
  • @GxTruth WiFi Router is TP-Link C20i and Modem is Gpon ONT. Sure will try to see if this behaviour could be found in other network with same device. I remember seeing this pop up in one of the HTTPS sites. – Anji Aug 10 '18 at 10:51
  • Maybe you just have the same malware on both your PC/laptop and iPhone? There are a lot of possibilities. As you see from the comments and answer, there is a lot of guesswork involved that doesn't really lead to a credible answer. – Tom K. Aug 10 '18 at 11:21
  • Looks like this cookie is getting set when I use internet from WiFi Router!!! Now reset the router? – Anji Aug 10 '18 at 11:29
  • @Anji Seeing this Popup on an HTTPS site (which did not send it itself, of course), indicates that something in your browser (--> your client-side device) is manipulating the content. As TLS in end-to-end-encryption and verifies all content, your router cannot flip any bits without messing up the signature, thus triggering a giant red warning in your browser (or your device just dropping it for not being authentic). So malware (locally installed or as browser extension) is my best bet at this point. – GxTruth Aug 10 '18 at 11:30
  • @Anji Addressing your most recent comment: If your router causes this behaviour --> **remove** it from your network. If you got it from your provider (this is often the case where I live) ask them for an explaination of this malicious (which it is) behaviour. Get a different router from a well-known manufacturer. Assuming this is intended behaviour, resets will not work. If your router was attacked and infected, update it to latest firmware after resetting it (instructions probably found in the manual). If this firmware is too old, replace the device. – GxTruth Aug 10 '18 at 11:34
  • @GxTruth Did power off and on of WiFi router. After that, I am not getting Ads nor those cookies are being set in my browser. Have to wait and see if it repeats. – Anji Aug 10 '18 at 12:24
  • i'm also facing the same problem.. If i kept webpage idle sometime for reading the click on any text selection. it opens a new ad tab... i'm on bsnl network.. So what this thing is called ? clickjacking ? or the complete network of my ISP is infected ? – Abhigyan Feb 12 '19 at 14:00

2 Answers2

1

I would suggest to look into your network configuration. That sounds like someon is intercepting your traffic. Maybe your DNS entry was changed by another user of the wifi. Check this by going into your router configuration and look if your DNS Server isn't the router or your hosting Provider. If you are not sure what´s your DNS name use 8.8.8.8 for testing purposes. This is the google DNS server

It seems that another PC or device routes you to this sites. Is the same behavior on https sites or are you always routed to http?

Cyberduck
  • 628
  • 4
  • 17
  • I checked DNS. It points to 8.8.8.8 and 8.8.4.4 I am not always routed to HTTP. Usually, the most site I visit is HTTPS. I observed it in HTTPS as well at underscore.org. – Anji Aug 09 '18 at 13:18
  • Did you also check the DNS entry on your phone and PC? If you are using an IPhone navigate to the WLAN Settings and press the I next to your connected WLAN. Check if the DNS Entry there is pointing to the Same address as your router. – Cyberduck Aug 09 '18 at 13:20
  • iPhone is using the default DNS of WiFi router. i.e 8.8.8.8 / 8.8.4.4 – Anji Aug 10 '18 at 10:52
  • Try to use `tracert`in the windows CMD and look how the ping hops to another website. Use one website where the ad pops up. Especially look if it hops between your router and pc to another device. – Cyberduck Aug 10 '18 at 13:09
1

Anji you are probably living in India using BSNL. BSNL has this problem also listed on here. Block these two addresses by either:

Hosts Method:

Add these two lines in hosts file.

127.0.0.1 decademical.com 127.0.0.1 mutualvehemence.com

URL Filter Method

EDIT : Even Airtel has been affected by same issue. Check here

demberto
  • 121
  • 3
  • can you edit your question to include these details? – schroeder Nov 26 '18 at 20:12
  • i'm also facing the same problem.. If i kept webpage idle sometime for reading the click on any text selection. it opens a new ad tab... i'm on bsnl network.. So what this thing is called ? clickjacking ? or the complete network of my ISP is infected ? – Abhigyan Feb 12 '19 at 14:00
  • Abhigyan our ISP is knowingly doing this. You also get some BSNL Offer Banner sometimes. Now a new IP does this (instead of the ones I mentioned) and when I WHOIS this IP, it shows address of some NS Cell BSNL Delhi. – demberto Feb 13 '19 at 16:52