Members urged to be cautious of scammers sending pop-ups

Page 4 of 4 [ 59 posts ]  Go to page Previous  1, 2, 3, 4

SabbraCadabra
Veteran
Veteran

User avatar

Joined: 21 Apr 2008
Age: 41
Gender: Male
Posts: 7,797
Location: Michigan

03 Apr 2018, 8:16 am

EzraS wrote:
Maybe we should all transfer to AspieCentral so we can have a forum that works properly.

...it's almost as if some member from that forum is infecting WP in an attempt to steal members away... ¬_¬


_________________
I'll brave the storm to come, for it surely looks like rain...


EzraS
Veteran
Veteran

User avatar

Joined: 24 Sep 2013
Gender: Male
Posts: 27,828
Location: Twin Peaks

04 Apr 2018, 3:58 am

SabbraCadabra wrote:
EzraS wrote:
Maybe we should all transfer to AspieCentral so we can have a forum that works properly.

...it's almost as if some member from that forum is infecting WP in an attempt to steal members away... ¬_¬


Have been advised by Kremlin to say no comment.



ToughDiamond
Veteran
Veteran

User avatar

Joined: 15 Sep 2008
Age: 72
Gender: Male
Posts: 14,501

04 Apr 2018, 10:39 am

After a few days of AdblockPlus having no ads to block here, today it's saying it's blocking 10 ads here right now on this page, which is a forum page not supposed to be infected by the redirection malware previously described. Sadly it doesn't say what they are or anything else about them, it just counts them. But 10 is surely crazy high, something's not quite right. But what?



B19
Veteran
Veteran

User avatar

Joined: 11 Jan 2013
Gender: Female
Posts: 9,993
Location: New Zealand

04 Apr 2018, 2:37 pm

A week or so back, after the Trojan attack was detected on my computer, (the attack was unsuccessful, identified and quarantined) I asked my anti-virus detection provider what that particular Trojan was, and they said that it looked like it could be related to Bitcoin attacks they had seen recently (could be, not was).

I don't know how it got access to attack my computer, so am not leaping to the conclusion that it was from here.



Soliloquist
Velociraptor
Velociraptor

User avatar

Joined: 13 Oct 2011
Age: 57
Gender: Male
Posts: 467

05 Apr 2018, 12:22 pm

B19 wrote:
A week or so back, after the Trojan attack was detected on my computer, (the attack was unsuccessful, identified and quarantined) I asked my anti-virus detection provider what that particular Trojan was, and they said that it looked like it could be related to Bitcoin attacks they had seen recently (could be, not was).

I don't know how it got access to attack my computer, so am not leaping to the conclusion that it was from here.


Probably. The server has a whole cornucopia of malware running in it's memory.

Here's a list of what is running. Most are serving dodgy ads but some
are a little more nefarious.

ags.us.onscroll.com
tags.expo9.onscroll.com
impl.us.onscroll.com
tags.bluekai.com
pixel.advertising.com
d.agkn.com
aa.agkn.com
dsum-sec.casalemedia.com
ssum-sec.casalemedia.com
simage2.pubmatic.com
image.pubmatic.com
image6.pubmatic.com
ads.stickyadstv.com
sync.adaptv.advertising.com
dpm.demdex.net
aa.agkn.com
ib.adnxs.com
secure-us.imrworldwide.com
pixel.rubiconproject.com
ads.yahoo.com
us-u.openx.net
beacon.krxd.Net
a.tribalfusion.com
cdnx.tribalfusion.com


Quote:
ads.stickyadstv.com redirect is usually caused by adware installed on your computer. These adware programs are bundled with other free software that you download off of the Internet. Unfortunately, some free downloads do not adequately disclose that other software will also be installed and you may find that you have installed adware without your knowledge.

Once this malicious program is installed, whenever you will browse the Internet, an ad from ads.stickyadstv.com will randomly pop-up.
These ads are aimed to promote the installation of additional questionable content including web browser toolbars, optimization utilities and other products, all so the adware publisher can generate pay-per-click revenue.

When infected with this adware program, other common symptoms include:

Advertising banners are injected with the web pages that you are visiting.
Random web page text is turned into hyperlinks.
Browser popups appear which recommend fake updates or other software.
Other unwanted adware programs might get installed without the user’s knowledge


Quote:
dsum-sec.casalemedia.com is a malicious browser hijacker infection. Where It was created with the main intention of manipulating Internet users to obtain their confidential data. In order to collect information, this will keep promoting phishing pop-ups in front of users and convince them to click on it.
In additional hackers programmed this illegal website to make profits from the execution of malicious functions. Further, this nasty threat will also inject pay-per-click based download links as well as sponsor links inside the currently visited page which causes the unexpected redirection and which helps cybercriminals in online earnings from these redirects.

Actions Performed By dsum-sec.casalemedia.com:
As soon dsum-sec.casalemedia.com manages to settle, it will start to execute malicious functions inside the computer. After that, this terrible browser hijacker will apply some malicious modifications to the system as well as their installed programs and cause their performance sluggish.

Moreover, this threat also messes with the browser and inject the JavaScript code inside of them to take control over them and frequently changes web browser search engine by default as a homepage with the unknown domain.


Quote:
Once AA.AGKN.COM redirection happens to be on your PC, it will be skilled to display various sorts from claiming utilized browsers, including Microsoft Edge, Google Chrome, web Explorer, Mozilla Firefox and even safari. It will rob your enrollment of data and the security ID so that it can get free access to any of your bank accounts. also, the dazzling links attached on the ads will bring you more freeware or any other adware which will waste your resource. As a result, you lose both the money and PC.


Quote:
TribalFusion is a spyware tracking cookie that installs on your computer and tracks your browsing habits; it sends the information to its main server and other third-party advertisers. It gathers potentially sensitive information such as email addresses, usernames, where you shop and how many times you shop, and it exposes this information to others. TribalFusion tracking cookies can be removed manually or using a power anti-virus program with spyware removal. This ensures that vital information remains protected.


Quote:
The simple explanation of what is ib.adnxs.com – it’s a potentially unwanted program (PUP) which is used for shady advertising. On the affected machine, adware might display misleading pop-ups, banners, ads, in-text ads and similar commercial content which diminishes browsing experience.

Ib.adnxs.com virus is associated with a couple of domains that display ads or trigger redirects to third-party websites:

nym1.ib.adnxs.com;
lax1.ib.adnxs.com;
m.adnxs.com;
adnxs.com.
The main purpose of the Ib.adnxs.com redirect virus is to drive traffic to specific websites. Website owners might want to increase their sales, promote products or services, or install malware or spyware on your computer.


Quote:
D.agkn.com redirect is usually caused by adware installed on your computer. These adware programs are bundled with other free software that you download off of the Internet. Unfortunately, some free downloads do not adequately disclose that other software will also be installed and you may find that you have installed adware without your knowledge.

Once this malicious program is installed, whenever you will browse the Internet, unwanted advertisements will pop-up on web pages that you visit. These ads are aimed to promote the installation of additional questionable content including web browser toolbars, optimization utilities and other products, all so the adware publisher can generate pay-per-click revenue.

You may also see in the browser status bar the following messages: “Waiting for D.agkn.com”, “Transferring data from D.agkn.com”, “Looking up D.agkn.com”, “Read D.agkn.com”, “Connected to D.agkn.com”.

When infected with this adware program, other common symptoms include:

Advertising banners are injected with the web pages that you are visiting.
Random web page text is turned into hyperlinks.
Browser popups appear which recommend fake updates or other software.
Other unwanted adware programs might get installed without the user’s knowledge.


Quote:
Tags.bluekai.com has been assigned to the potentially unwanted program (PUP) and “adware” after computer users have started complaining about its performance. According to them, ads and drop-down boxes, which are related to this service, continue appearing on certain domains and block the entrance to them.


Quote:
beacon.krxd.net - A hostname is an indicator of compromise commonly used as a target for communicating with malware, hosting malware, or serving as a vector for attacking targets in watering hole attacks. Malicious hostnames may exist within non-malicious domains



EyeDash
Deinonychus
Deinonychus

User avatar

Joined: 14 Nov 2013
Age: 67
Gender: Male
Posts: 328
Location: Colorado

05 Apr 2018, 7:00 pm

This time for me it wasn't even an ad problem. In Firefox my WP session showed I was logged out and when I clicked the prompt to log in, a new window was launched which in turn launched a bogus two-field prompt for username and password, with the message: "http://hehad-hung.tk is requesting your username and password. The site says: “Security Update Error 0xB1983959 Help Desk: 888-448-0218 (TOLL-FREE)”

Being a .tk domain, it was clearly not WrongPlanet. When I closed the pop-up there was a series of "security warning" screens. It appears to be phishing malware trying to steal usernames and passwords.



B19
Veteran
Veteran

User avatar

Joined: 11 Jan 2013
Gender: Female
Posts: 9,993
Location: New Zealand

05 Apr 2018, 7:03 pm

:(


Soliloquist, thanks for the list. Where would those nuisances be stored, usually, on cookies, cache or elsewhere?



ToughDiamond
Veteran
Veteran

User avatar

Joined: 15 Sep 2008
Age: 72
Gender: Male
Posts: 14,501

06 Apr 2018, 5:55 am

EyeDash wrote:
This time for me it wasn't even an ad problem.

I tried disabling AdBlock Plus for this site, and was surprised to find that no ads happened. Some of the "blocked ads" turned out to be user avatars (I vaguely recall tweaking ABP a year or two ago, to block certain flashy avatars that were distracting me). It didn't fully account for the high numbers, so I guess either something else (Firefox?) also blocks them, or ABP is lying about how effective it is, in order to persuade users to donate money to it. Anyway, it was a red herring.

Quote:
In Firefox my WP session showed I was logged out and when I clicked the prompt to log in, a new window was launched which in turn launched a bogus two-field prompt for username and password, with the message: "http://hehad-hung.tk is requesting your username and password. The site says: “Security Update Error 0xB1983959 Help Desk: 888-448-0218 (TOLL-FREE)”

Being a .tk domain, it was clearly not WrongPlanet. When I closed the pop-up there was a series of "security warning" screens. It appears to be phishing malware trying to steal usernames and passwords.

All of which makes it a scary thing when WP unexpectedly logs me out - I always check the "keep me logged in" box but its effect doesn't usually last more than a few days. But I've not seen any .tk domains or anything else about the login screen here that looks dodgy.

If I didn't have a complete backup/restore facility, I'd probably not visit WP. And most users probably don't have a complete backup/restore facility.



Soliloquist
Velociraptor
Velociraptor

User avatar

Joined: 13 Oct 2011
Age: 57
Gender: Male
Posts: 467

06 Apr 2018, 1:12 pm

B19 wrote:
:(


Soliloquist, thanks for the list. Where would those nuisances be stored, usually, on cookies, cache or elsewhere?


The domain names are set up by a packed and encrypted script that has been injected in
various pages on the server.

This shows that the majority of those malware domains are active.
All the Google references apart from googleads4.g.doubleclick.net
are the legitimate ads for the site.

Quote:
Domain Bytes
wrongplanet.net 290,690
pagead2.googlesyndication.com 185,132
code.jquery.com 142,490
s0.2mdn.net 104,283
tpc.googlesyndication.com 92,357
securepubads.g.doubleclick.net 86,236
fonts.gstatic.com 29,575
googleads.g.doubleclick.net 22,335
http://www.googletagservices.com 22,328
a.tribalfusion.com 21,995
impl.us.onscroll.com 16,870
ad.doubleclick.net 15,322
http://www.google-analytics.com 15,139
tags.expo9.exponential.com 14,279
tags.us.onscroll.com 10,518
cdnx.tribalfusion.com 10,246
edge.quantserve.com 5,141
fonts.googleapis.com 3,519
cm.g.doubleclick.net 955
ssum-sec.casalemedia.com 866
pixel.rubiconproject.com 829
ib.adnxs.com 727
adservice.google.com 633
image6.pubmatic.com 561
rules.quantcount.com 484
pixel.quantserve.com 474
pixel.advertising.com 456
beacon.krxd.net 453
simage2.pubmatic.com 403
secure-us.imrworldwide.com 402
us-u.openx.net 317
http://www.google.com 266
dsum-sec.casalemedia.com 255
googleads4.g.doubleclick.net 153
ads.yahoo.com 120
sync.adaptv.advertising.com 0
tags.bluekai.com 0
aa.agkn.com 0
d.agkn.com 0
s.tribalfusion.com 0
ads.stickyadstv.com 0
dpm.demdex.net 0


If you are still not getting any response from the owner of the site maybe someone
should contact the hosting company. Sliqua Enterprise Hosting
The Executive Vice President Joe Cooter is also a member here memberlist.php?mode=viewprofile&u=33172



B19
Veteran
Veteran

User avatar

Joined: 11 Jan 2013
Gender: Female
Posts: 9,993
Location: New Zealand

06 Apr 2018, 3:37 pm

I see that he visited last month, and is still active. Thanks for the heads ups (again). I've sent him a PM for now, so he might chime into this thread if he has time and inclination.



SaveFerris
Veteran
Veteran

User avatar

Joined: 3 Sep 2016
Gender: Male
Posts: 14,762
Location: UK

08 Apr 2018, 7:47 am

If anyone's interested Malwarebytes Premium deals with the pop ups on this site. You can get a free trial for 14 days but after that you have to pay :(


_________________
R Tape loading error, 0:1

Hypocrisy is the greatest luxury. Raise the double standard