Advertisement suddenly appearing on top of almost every page

Since this morning strange advertisement is appearing on top of many pages I open in webbrowser (see screenshot at the end). It's happening in any browser (tested FF, IE and Chrome), on any of three machines in our household, even on iPhone (no matter if connected on Wi-Fi or cellular network [not true in the end, see my answer]). Even on Debian system run in VMWare.

Sometimes the ads do not appear in Firefox, but appear in IE. Sometimes they do not appear on iPhone when connected on cellular, but appear when connected on Wi-Fi. But mostly they appear in any case. On some pages the issue corrupts a page rendering.

The advertisement is identical in every case. The same tree banners, except for Amazon banner changing the product. On iPhone the Amazon banner does not load. On some pages the set of ads repeat two or more times.

Some of the pages the problem is happening with:

superuser.com (any SE site)
instagram.com
pinterest.com
ask.com (ads appear twice)
bbc.com

Not happening on:

google.com
linkedin.com
youtube.com
cnn.com
microsoft.com

(though the lists can be affected by random component of the problem).

The ads are rendered by HTML code injected just after an opening <body> tag. The code is not present in the HTML itself. But I can see it, when inspecting the page in browser dev tools (e.g. Inspector tool in Firefox), so it's likely generated by some JavaScript. The code is attached at the end of this post. Once the page renders the browser starts connecting to 85.25.138.211.

I do not have any unwanted plugins in the browser(s). Nor I identified any adware/malware on my machine(s). I didn't even expect that, as the problem occurs on iPhone too.

It feels like I got hacked. But I cannot imagine how such hack would work, since it affects different systems (Windows, iOS, Debian). I considered having router hacked, but it also does not seem likely as the issue persist even when I disconnect the iPhone from Wi-Fi. I considered that someone exploited some bug in JavaScript library that all affected pages share. But in that case the issue would be widespread, not just happening to me. But I was not able to find any report of such problem by anyone else [not true in the end, see my answer].

Does anyone have any idea, why this is happening?

enter image description here

<body class="user-page new-topbar" lang="">

    <div align="center">
        <a title="wygladzanie zmarszczek" rel="nofollow" href="http://track.impreskin.pl/product/ImpreSkin/?uid=21002&pid=153&bid=1659">
            <img alt="wygladzanie zmarszczek" src="http://track.impreskin.pl/banner/?uid=21002&pid=153&bid=1659"></img>
        </a>
    </div>
    <div align="center">
        <iframe width="728" height="90" frameborder="0" style="border:none;" marginwidth="0" border="0" scrolling="no" src="http://rcm-na.amazon-adsystem.com/e/cm?t=hsiang-20&o=1&p=48&l=ur1&category=electronicsrot&f=ifr&linkID=BXR7UA243P4D75JE">
            #document
                <html>
                    <head></head>
                    <body>
                        <div id="wrap">
                            <object width="728" height="90" align="middle" codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000">
                                <!--

                                 Tags used by MSIE Rendering engine 

                                -->
                                <param value="http://ecx.images-amazon.com/images/G/01/associates/2011/ban…vacyTarget=_top&privacyURL=http://www.amazon.com/gp/dra/info" name="movie"></param>
                                <param value="high" name="quality"></param>
                                <param value="transparent" name="wmode"></param>
                                <param value="#FFFFFF" name="bgcolor"></param>
                                <param value="all" name="allowNetworking"></param>
                                <param value="always" name="allowScriptAccess"></param>
                                <!--

                                 Tags used by Mozilla Rendering engine

                                -->
                                <embed width="728" height="90" pluginspage="https://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" allowscriptaccess="always" allownetworking="all" bgcolor="#FFFFFF" wmode="transparent" quality="high" src="http://ecx.images-amazon.com/images/G/01/associates/2011/ban…vacyTarget=_top&privacyURL=http://www.amazon.com/gp/dra/info"></embed>
                            </object>
                        </div>
                        <script></script>
                    </body>
                </html>
                <!--

                 autogen flash template V 0.1311154052 

                -->
        </iframe>
    </div>
    <div align="center">
        <!--

         default 

        -->
        <div id="ca-block-2228" class="ca-block"></div>
    </div>

Martin Prikryl

Posted 2014-10-26T21:15:18.067

Reputation: 13 764

Answers

After many tests, I've realized that the problem is happening on cellular network only because of caching. After clearing a cache (Clear History and Website Data) and refreshing, the problem went away. And it reappeared only after connecting back to the Wi-Fi.

This made it obvious that the problem is due to a compromised router, Edimax AR-7265WNB. Resetting the router back to the factory settings and re-configuring fixed the problem.

I did not find newer version of router firmware than the one I have (FwVer:3.10.16.0_TC3085 HwVer:T14.F7_3.0). Though I've found that the firewall on the router was off. Actually the router reset itself few weeks back. When reconfiguring it, I probably forgot to enable the firewall (actually I would expect the firewall to be on by default).

The problem seems world-wide now (other reports here and here, some other were deleted), contrary to my claim in the question. That would suggest remote exploiting of some router vulnerability (supported by firewall issue), rather than local hacking into Wi-Fi. The others report different types of router (D-Link DSL-2600U, TP-Link), so the issue is not specific to the Edimax.

The other reports mention that a DNS or proxy settings was modified. I did not checked this before resetting my router. But it is possible that my router was modified this way, as the firewall was off. Also it explains injecting code in any page without a need for any router-specific exploit. So the attacker possibly scans internet for any unsecured routers and simply configures them to point to attacker's proxy.

Martin Prikryl

Posted 2014-10-26T21:15:18.067

Reputation: 13 764

Which router? Had you updated the firmware to the most recent version? – K7AAY – 2014-10-26T22:31:08.573

I noticed about 2 days ago I was getting the exact same ads across multiple devices (laptop, android smartphone and Nexus 7). When I clear all the browser caches and connect to a cellular network the ads stop, but once I connect to the wi-fi they come back.

I ended up switching the DNS server on all of my connections to google's 8.8.8.8 and the ads stopped coming back on every device.

So either the router or the ISP's DNS server is compromised is my best guess.

edit: Same as How can I remove unwanted ads on top of sites?

Diogo

Posted 2014-10-26T21:15:18.067

Reputation: 11

1What router are you using? – Martin Prikryl – 2014-10-29T07:10:11.767

You've most likely got some spyware (very easy to accidentally download, but usually fairly easy to remove, if you know what to do).

You will need to download a more powerful unistaller, windows uninstall will not remove it.

Download IOBitUNinstaller. Now you will have to go through every file (on iobit) and identify what program you don't recognise or seem 'fishy', a quick google search (if unsure) will reveal if its malware.

You can also select batch uninstall (top right option on iobit), which can let you select multiple programs to uninstall - and of course, let it do a deep scan and remove everything it finds.

benscabbia

Posted 2014-10-26T21:15:18.067

Reputation: 370

1Thanks for your answer. Would that explain the issue happening on iPhone and Debian? – Martin Prikryl – 2014-10-26T21:24:02.367

1No. If it is happening on your iPhone and Debian system, your router (specifically your router's DNS settings) may have been compromised. Perform a factory reset. And when you set it up again, SET A PASSWORD ON IT so that rogue software on your computer can't automatically reconfigure it. – Jeremy Visser – 2014-10-26T21:26:08.220

@JeremyVisser But it's happening even if I disconnect iPhone from Wi-Fi. – Martin Prikryl – 2014-10-26T21:27:50.210

1You don't need IOBIT software to remove something like this, the normal ad/remove programs will do exactly what IOBITUninstaller does despite its claims otherwise. IOBIT is snake oil don't trust it. – Ramhound – 2014-10-26T21:27:59.977

@MartinPrikryl I not sure how it would have got on your Iphone, except if you're logged in on all devices and using chrome or something. But try the fix above, (also on chrome, install adblock and see if that solves the issue. If not, keep checking that you recognise ALL software on your PC and if still no luck, install and run (free version) of Malwarebytes, between the two, you will hopefully find the issue

– benscabbia – 2014-10-26T21:28:25.273

@Ramhound I couldn't disagree with you more. I work for an IT company and we use it ALL the time. It gets rid of malware thats deeply buried across the registry. It's a wonderful piece of software that I have installed on all of mine and clients machines. And you obviously have never experienced a persistent virus, you should know that windows uninstaller will fail to remove anything persistent. – benscabbia – 2014-10-26T21:29:49.980

@MartinPrikryl Then you should also check your browser proxy settings. Failing that, wipe your phone. Seriously, unless you spend a bit of brain power trying to narrow down what is going on, eventually you will be claiming this is happening to everybody, which it is clearly not. – Jeremy Visser – 2014-10-26T21:31:13.140

@JeremyVisser Thanks for the hint. There's no proxy settings on iPhone when connected over cellular network, right? – Martin Prikryl – 2014-10-26T21:35:02.540

@gudthing I did not find any suspicious software in IOBITUninstaller. And even if I did, it would not explain the extent of the problem anyway. – Martin Prikryl – 2014-10-26T21:37:25.577

@MartinPrikryl I think there's an option to use a proxy but by default it should be turned off (double check though).

Regarding your latest answer, there could be a piece of software that downloaded which opened a gateway/port for some malware/hacker.

Probably worth checking your router settings, check that your ports (under port forwarding) are all closed. Also check all the connected devices (on the router) and ensure you recognise all the devices. And might be worth a factory reset on the router (setting a new password) – benscabbia – 2014-10-26T21:42:09.583

After many tests, I've realized that the problem is happening on cellular network only because of caching. After some time of being connected on cellular network and keeping refreshing, the problem went away. And reappeared only after connecting back to the Wi-Fi.

This made it obvious that the problem is due to compromised router. Resetting it back to factory settings fixed it. Thanks for all the hints! – Martin Prikryl – 2014-10-26T22:38:04.593

@MartinPrikryl great to hear Martin! Can be difficult to identify the issue but I'm glad your persistence paid off! – benscabbia – 2014-10-26T22:39:55.303