9

Key Facts:

On 3 separate occasions, in the past 3 months, with 3 different google search queries, I was redirected from the intended site to a malicious site. Always from a Google search using Firefox.

The redirect is not repeatable: doing the search again and clicking on the same link does not redirect. This is on work computer, signed into a domain, on Windows 10.

I ran a Malware Bytes Scan. All negative. No proxies, and the hosts file has no unknown entries.

Firefox Extensions

  • ADB Helper
  • Firefox Pioneer
  • LastPass

Firefox Plugins

  • Openh264 Codec
  • Widevine Content Decryption
  • Shockwave Flash (out of date, but also set to "Ask to activate")

More Details

As best I can tell from looking at my Firefox history, the redirects happened in about September 15, then again on Oct 30, and again today (Nov 8). Each redirect was through completely unrelated websites and unrelated searches. (I am excluding the searches and websites I clicked on, but will include them if requested). As far as I was able to tell, the sites were running different platforms, and a quick eyeball of the source didn't reveal any malicious code on these sites. Each redirect was to a similar site.

This is on a work computer, but we're a medium-small business without a truly dedicated IT team (I kind of serve as backup IT when the main guy is out). We haven't heard of any reports from other employees of problems, but in the way I experienced it, its very easy to dismiss. Because if you get redirected, its easy to assume you accidentally clicked the wrong link or the site you visited was hacked. And if you try to repeat your steps, you get to the site you were intending, so you assume you did something wrong. In any case, the primary IT guy here hasn't encountered the problem, so we believe its my local machine but I don't know where to look now.

andyjv
  • 191
  • 1
  • 1
  • 4
  • As you can see in the incosistent answers it is incredibly hard to give a good and helpful answer without more details - and probably a level of detail that would be out of scope for this site. If this is a work machine, you should probably inform tech support and let the IT guys figure out if this was caused by something on your machine or if it was caused by something that is outside of your control. – Tom K. Nov 09 '18 at 13:57

3 Answers3

6

It appears you have been the victim of malvertising. Web sites often pull in all manner of third-party code from ad networks, and what ad gets displayed is determined by multiple algorithms which advertisers use to bid on access to your eyeballs. Even the most reputable sites can become unwitting accomplices to this skullduggery because they have no control over what ads the third-party networks serve them.

Your best defense against malvertising is keeping your system patched up-to-date and, where it doesn't break the site you are visiting, using an ad blocker.

Mike McManus
  • 1,415
  • 10
  • 17
  • Not a bad thought, but of the three sites, only one had any kind of advertising. The other two were corporate sites, so they don't have ads. – andyjv Nov 09 '18 at 12:21
  • Also this implies I have really bad luck, which I guess isn't out of the question – andyjv Nov 09 '18 at 12:26
  • While malvertising is unlikely (for all of these cases at least). Having an adblocker is always a good idea for this reason. – Nosajimiki Nov 09 '18 at 16:09
2

That sounds a lot like a common website hack I've seen. I don't remember what it's called, but I've on more than one occasion been asked to clean up old websites that have been injected with a PHP redirect virus that only triggers when hit the site from a Google Search. The reason they do this is so that when the system admin, site owner, etc goes to it, they tend to navigate directly to the URL instead of searching for their own websites. So, if the owner does not see a problem, they won't try to fix it.

There is also a whole class of viruses that only sometimes and randomly do bad things to make them harder to track down; so, it could be an infected plugin in your browser doing that.

My suggestion is when you see this, try revisiting the site via Google, and not a direct link. If the same site redirects you from search results over and over again, then it's probably an infected website. If it's truly random, I'd look at unreputable browser plugins as the most likely culprit.

[edit]: N/M I see you said that your repeated the search to re-test. Have you tried uninstalling your plugins or just scanning them? It's possible that one contains a virus that simply isn't yet identified. Like I said, viruses that only sometime misbehave tend to take a longer time for AV companies to isolate.

Nosajimiki
  • 1,799
  • 6
  • 13
  • I updated my answer with my Firefox plugins. I don't have anything unusual installed in Firefox, so I'm not inclined to believe its any rouge plugin in Firefox – andyjv Nov 09 '18 at 12:24
  • How reputable are the business sites that redirected you? If they are small business sites, I would not be surprised if a bit of bad luck + infected websites + malvertising added up to a perceived pattern. The only other explanation I could think of is a virus installed outside of your browser hijacking it, which you would hopefully be able to catch with a full-system virus scan. – Nosajimiki Nov 09 '18 at 16:08
  • 1
    When redirecting you the first time, the compromised site will place a cookie not to redirect you again, so you will need to access the webpage from a Google link after clearing cookies / from private mode / a different browser. – Ángel Sep 12 '19 at 22:40
1

May be some plugin/extension installed in firefox is causing the issue. You can go to Firefox > Add-ons> verify whether any unknown plugins are enabled.

Varun Kondagadapa
  • 11
  • 4