Members urged to be cautious of scammers sending pop-ups
...it's almost as if some member from that forum is infecting WP in an attempt to steal members away... ¬_¬
_________________
I'll brave the storm to come, for it surely looks like rain...
After a few days of AdblockPlus having no ads to block here, today it's saying it's blocking 10 ads here right now on this page, which is a forum page not supposed to be infected by the redirection malware previously described. Sadly it doesn't say what they are or anything else about them, it just counts them. But 10 is surely crazy high, something's not quite right. But what?
A week or so back, after the Trojan attack was detected on my computer, (the attack was unsuccessful, identified and quarantined) I asked my anti-virus detection provider what that particular Trojan was, and they said that it looked like it could be related to Bitcoin attacks they had seen recently (could be, not was).
I don't know how it got access to attack my computer, so am not leaping to the conclusion that it was from here.
I don't know how it got access to attack my computer, so am not leaping to the conclusion that it was from here.
Probably. The server has a whole cornucopia of malware running in it's memory.
Here's a list of what is running. Most are serving dodgy ads but some
are a little more nefarious.
ags.us.onscroll.com
tags.expo9.onscroll.com
impl.us.onscroll.com
tags.bluekai.com
pixel.advertising.com
d.agkn.com
aa.agkn.com
dsum-sec.casalemedia.com
ssum-sec.casalemedia.com
simage2.pubmatic.com
image.pubmatic.com
image6.pubmatic.com
ads.stickyadstv.com
sync.adaptv.advertising.com
dpm.demdex.net
aa.agkn.com
ib.adnxs.com
secure-us.imrworldwide.com
pixel.rubiconproject.com
ads.yahoo.com
us-u.openx.net
beacon.krxd.Net
a.tribalfusion.com
cdnx.tribalfusion.com
Once this malicious program is installed, whenever you will browse the Internet, an ad from ads.stickyadstv.com will randomly pop-up.
These ads are aimed to promote the installation of additional questionable content including web browser toolbars, optimization utilities and other products, all so the adware publisher can generate pay-per-click revenue.
When infected with this adware program, other common symptoms include:
Advertising banners are injected with the web pages that you are visiting.
Random web page text is turned into hyperlinks.
Browser popups appear which recommend fake updates or other software.
Other unwanted adware programs might get installed without the user’s knowledge
In additional hackers programmed this illegal website to make profits from the execution of malicious functions. Further, this nasty threat will also inject pay-per-click based download links as well as sponsor links inside the currently visited page which causes the unexpected redirection and which helps cybercriminals in online earnings from these redirects.
Actions Performed By dsum-sec.casalemedia.com:
As soon dsum-sec.casalemedia.com manages to settle, it will start to execute malicious functions inside the computer. After that, this terrible browser hijacker will apply some malicious modifications to the system as well as their installed programs and cause their performance sluggish.
Moreover, this threat also messes with the browser and inject the JavaScript code inside of them to take control over them and frequently changes web browser search engine by default as a homepage with the unknown domain.
Ib.adnxs.com virus is associated with a couple of domains that display ads or trigger redirects to third-party websites:
nym1.ib.adnxs.com;
lax1.ib.adnxs.com;
m.adnxs.com;
adnxs.com.
The main purpose of the Ib.adnxs.com redirect virus is to drive traffic to specific websites. Website owners might want to increase their sales, promote products or services, or install malware or spyware on your computer.
Once this malicious program is installed, whenever you will browse the Internet, unwanted advertisements will pop-up on web pages that you visit. These ads are aimed to promote the installation of additional questionable content including web browser toolbars, optimization utilities and other products, all so the adware publisher can generate pay-per-click revenue.
You may also see in the browser status bar the following messages: “Waiting for D.agkn.com”, “Transferring data from D.agkn.com”, “Looking up D.agkn.com”, “Read D.agkn.com”, “Connected to D.agkn.com”.
When infected with this adware program, other common symptoms include:
Advertising banners are injected with the web pages that you are visiting.
Random web page text is turned into hyperlinks.
Browser popups appear which recommend fake updates or other software.
Other unwanted adware programs might get installed without the user’s knowledge.
This time for me it wasn't even an ad problem. In Firefox my WP session showed I was logged out and when I clicked the prompt to log in, a new window was launched which in turn launched a bogus two-field prompt for username and password, with the message: "http://hehad-hung.tk is requesting your username and password. The site says: “Security Update Error 0xB1983959 Help Desk: 888-448-0218 (TOLL-FREE)”
Being a .tk domain, it was clearly not WrongPlanet. When I closed the pop-up there was a series of "security warning" screens. It appears to be phishing malware trying to steal usernames and passwords.
I tried disabling AdBlock Plus for this site, and was surprised to find that no ads happened. Some of the "blocked ads" turned out to be user avatars (I vaguely recall tweaking ABP a year or two ago, to block certain flashy avatars that were distracting me). It didn't fully account for the high numbers, so I guess either something else (Firefox?) also blocks them, or ABP is lying about how effective it is, in order to persuade users to donate money to it. Anyway, it was a red herring.
Being a .tk domain, it was clearly not WrongPlanet. When I closed the pop-up there was a series of "security warning" screens. It appears to be phishing malware trying to steal usernames and passwords.
All of which makes it a scary thing when WP unexpectedly logs me out - I always check the "keep me logged in" box but its effect doesn't usually last more than a few days. But I've not seen any .tk domains or anything else about the login screen here that looks dodgy.
If I didn't have a complete backup/restore facility, I'd probably not visit WP. And most users probably don't have a complete backup/restore facility.
Soliloquist, thanks for the list. Where would those nuisances be stored, usually, on cookies, cache or elsewhere?
The domain names are set up by a packed and encrypted script that has been injected in
various pages on the server.
This shows that the majority of those malware domains are active.
All the Google references apart from googleads4.g.doubleclick.net
are the legitimate ads for the site.
wrongplanet.net 290,690
pagead2.googlesyndication.com 185,132
code.jquery.com 142,490
s0.2mdn.net 104,283
tpc.googlesyndication.com 92,357
securepubads.g.doubleclick.net 86,236
fonts.gstatic.com 29,575
googleads.g.doubleclick.net 22,335
http://www.googletagservices.com 22,328
a.tribalfusion.com 21,995
impl.us.onscroll.com 16,870
ad.doubleclick.net 15,322
http://www.google-analytics.com 15,139
tags.expo9.exponential.com 14,279
tags.us.onscroll.com 10,518
cdnx.tribalfusion.com 10,246
edge.quantserve.com 5,141
fonts.googleapis.com 3,519
cm.g.doubleclick.net 955
ssum-sec.casalemedia.com 866
pixel.rubiconproject.com 829
ib.adnxs.com 727
adservice.google.com 633
image6.pubmatic.com 561
rules.quantcount.com 484
pixel.quantserve.com 474
pixel.advertising.com 456
beacon.krxd.net 453
simage2.pubmatic.com 403
secure-us.imrworldwide.com 402
us-u.openx.net 317
http://www.google.com 266
dsum-sec.casalemedia.com 255
googleads4.g.doubleclick.net 153
ads.yahoo.com 120
sync.adaptv.advertising.com 0
tags.bluekai.com 0
aa.agkn.com 0
d.agkn.com 0
s.tribalfusion.com 0
ads.stickyadstv.com 0
dpm.demdex.net 0
If you are still not getting any response from the owner of the site maybe someone
should contact the hosting company. Sliqua Enterprise Hosting
The Executive Vice President Joe Cooter is also a member here memberlist.php?mode=viewprofile&u=33172