Weird popup ads on sites that don't even load the ad

0

1

I have noticed weird popup ads appearing on pages which don't load those ads like daringfireball. The ad in question appears on the right side of the page over the web page intended to open.

Image showing the popup.

The scary part about the popup is that it's correctly identified my fixed line phone number and asks for entering mobile number and email address as shown in the page. On inspecting the URL of the iframe, it points to this address : "http://www.adphonso.com/testmtnl.php?CSID=99999999@mtnl". Here, MTNL is the name of my ISP and I have inserted the "99999999" in place of my actual phone number which is there in the URL.

The problem I am having seems very similar to the one described in this question. The difference is the popup from that question looked like a scam ad and also it didn't display any personally identifiable information like it does in my case. I visited the site adphonso.com and it looks like an ad network, so I think it's mining for information. Should I be scared as the only cause suggested in that question seems to be malware or can it be my ISP is injecting code in sites I visit(which should be illegal if that's the case). But, I don't install untrusted softwares and every application I download, I usually scan them from virustotal.com before installing. Also, I have Avast Antivirus running on my PC. The hosts file seems to be fine and I use Google DNS servers. I would have tried using the fix provided in that answer but it doesn't seem to work with Windows 8.1.

erosenin

Posted 2014-04-12T04:19:48.737

Reputation: 343

1Yes its entirely possible your ISP is injecting code into your websites. Does this happen on more then one website? – Ramhound – 2014-04-12T04:51:24.730

Yes, I have seen this popup appear on 3 different sites. – erosenin – 2014-04-12T04:54:37.230

@Ramhound You were right man, It seems my stupid ISP is indeed injecting code. After searching for a while found this : http://broadbandforum.co/topic/78432-mtnl-broadband-is-inserting-adphonso-powered-malware-on-all-customer-devices/

– erosenin – 2014-04-12T05:19:18.527

Answers

2

Explanation

After doing a bit of research and experimentation with the website and their services, this seems to be your ISP (MTNL) injecting the frame into your webpages. When you request a webpage, your ISP, instead of displaying the original page, it tampers with the HTML and inject an ad via the iframe element on to the page. This only happens if the webpage is unencrypted, so all SSL connections to website should remain intact. Your phone number is being provided to the Adphonso ad network by your ISP. So, you do have to worry about calls from telemarketers and such.

Solution

You can install adblock extension for chrome if you haven't done so already. If the ad doesn't automatically block it self, you can right click on the frame of the ad, and apply a rule to block it on every domain. Also go into the adblock options and in the Customize tab add these filters by clicking the edit button.

Add these websites:

adserver.adtech.de
203.94.243.40
http://adphonso.com/

Add these elements (sections):

iframe[id="bframe"]
div[id="bdiv"]

if you directly add the elements in the list be sure to add ## (two pound symbols) before each element.

For the another layer of protection and the best way to accomplish blocking all future ads by these websites, block the domain names for the ad websites from the router aswell.

This is not a solution per se, it only "avoids" the issue. I would complain/talk to the ISP about this.

10100111001

Posted 2014-04-12T04:19:48.737

Reputation: 1 664

Thanks for the solution. I stopped using AdBlock but looks like I will have to install it and will apply the solution.

Talking to the ISP is not going to be much helpful as they don't listen to complaints. The only reason people still stick with them is because of no FUP caps and good network ping response. – erosenin – 2014-04-12T05:35:18.680

Asked: 2014-04-12T04:19:48.737

Viewed: 771 times

Active: 2014-04-12T05:25:19.713