View Full Version : Web forgery??
Finesse January 9th, 2015, 08:00 PM Alex, when I tried to access a thread in the General Motorcycling Forum, it kept re-directing me to some skin products website that was obviously some kind of spam.. I thought I'd accidentally clicked an ad but it keeps doing this. Then I got a notification from some security thing saying this website has been detected as web forgery. I clicked 'get me out of here' and then shut the page and tried again, but same thing. the thread is titled 'many questions...'
subxero January 9th, 2015, 08:04 PM i had similar, i cleared my cache and i haven't had any problems since.
But it was only this website, i tried several other sites with no issues.
It was happening to me just by scrolling, not even clicking, pretty much in any part of the forum
Finesse January 9th, 2015, 08:15 PM forgive my ignorance but what is clearing your cache :o
NevadaWolf January 9th, 2015, 08:22 PM It's deleting all the little bits of data your browser saves on your computer to make loading the page next time faster.
What browser do you use?
Finesse January 9th, 2015, 08:26 PM mozilla firefox
alex.s January 9th, 2015, 08:32 PM ally said the same thing on faceplace. i bet its an ad thing. i heard there was spyware going through an aol ad served on something else too. probably all part of an elaborate nsa/china/russia hack war. that's clearly the simplest answer.
NevadaWolf January 9th, 2015, 08:40 PM mozilla firefox
https://support.mozilla.org/en-US/kb/how-clear-firefox-cache
Clear the cache
Click the menu button and choose Options.
Select the Advanced panel.
Click on the Network tab.
In the Cached Web Content section, click Clear Now.
NevadaWolf January 9th, 2015, 08:41 PM I just got it too, a redirect to a skin product site.
Using Chrome on iPad.
The URL all the redirects are going to...
http:// lemode-mgz<dot>com/
Alex January 9th, 2015, 08:47 PM OK - weird. I haven't been able to reproduce it yet. There are two main suspects; a problem with Viglink, or an ad being served through google's ad network that is behaving maliciously. If you're having the problem, if you could take a screenshot of the link it is sending you to, it would be helpful. Then hit the back button and show me the link on ninjette where it came from if at all possible so I can try and troublehoot.
To disable the Google ads entirely, you can go into your control panel options (https://www.ninjette.org/forums/profile.php?do=editoptions) and use this checkbox to blank them all out temporarily. It resets at the beginning of each month.
https://www.ninjette.org/forums/picture.php?albumid=840&pictureid=12116
But my hunch is that Viglink is having a problem...
alex.s January 9th, 2015, 08:50 PM http://thehackernews.com/2015/01/aol-advertising-network-abused-to_6.html
Alex January 9th, 2015, 08:58 PM Yep - it can certainly happen in that fashion if the ad vendor isn't vetting the submissions. Google has historically been pretty clean on this though. From the facebook discussion, it is interesting that incognito mode caused it not to happen, but running outside of incognito mode allowed it to happen. Unless it's a coincidence, that still points to a local extension doing something quirky. While viglink uses a javascript script on the page, I think that is still running in incognito (need to confirm), so that behavior doesn't quite track with what people are apparently seeing.
NevadaWolf January 9th, 2015, 08:58 PM OK - weird. I haven't been able to reproduce it yet. There are two main suspects; a problem with Viglink, or an ad being served through google's ad network that is behaving maliciously. If you're having the problem, if you could take a screenshot of the link it is sending you to, it would be helpful. Then hit the back button and show me the link on ninjette where it came from if at all possible so I can try and troublehoot.
When I got it, it was after I had hit Quote to respond to Finesse, the page redirected as I was typing. It does take a bit for the whole page to load for me though.
Alex January 9th, 2015, 09:00 PM OK, confirmed that. In incognito, outbound links are still re-written with viglink. If viglink is the culprit, going to incognito mode shouldn't affect the behavior either way, yet it seems to? :idunno:
NevadaWolf January 9th, 2015, 09:03 PM Ah! Yeah for histories!
The links it sent me to. Happened multiple times:
Link 1:
http:// lemode-mgz (dot) com/sc/gm722-2310/special-report.html?voluumdata=vid..00000000-f6c3-4c09-8000-000000000000__vpid..c4013800-9874-11e4-888a-65aea4112e41__caid..421c6fa2-56dc-4806-b48a-6b536e9f021f__lid..24bb0db4-e6fd-4742-9d58-2c48118090fe__rt..R__oid1..2442d6b4-fafa-4d60-94ec-f51682a627dd__oid2..df4cad13-52ea-4672-b3cb-f9a20f42ec87__var1..adwynne__var2..us__var3..1__var4..728-90__var5..1420861428413__var6..https%3A%2F%2Fgoogleads%5C.%5Cg%5C.%5Cdoubleclick %5C.%5Cnet%2Fpagead%2Fads%3Fclient%3Dca-pub-9679775304269022%26format%3D728x90%5C_%5Cas%26output%3Dhtml%26h%3D90%26slotname% 3D6109939056%26adk%3D219048414%26w%3D728%26lmt%3D1420890224%26flash%3D0%26url%3D https%3A%2F%2Fwww%5C.%5Cninjette%5C.%5Corg%2Fforums%2Fshowthread%5C.%5Cphp%3Fp%3 D969828%23post969828%26dt%3D1420861392429%26bpp%3D165%26shv%3Dr20150106%26cbv%3D r20141212%26saldr%3Daa%26prev%5C_%5Cfmts%3D728x90%5C_%5Cas%26correlator%3D645972 2668033%26frm%3D20%26ga%5C_%5Cvid%3D64562463%5C.%5C1418108112%26ga%5C_%5Csid%3D1 420853954%26ga%5C_%5Chid%3D1273956634%26ga%5C_%5Cfc%3D1%26u%5C_%5Ctz%3D-480%26u%5C_%5Chis%3D3%26u%5C_%5Cjava%3D0%26u%5C_%5Ch%3D1024%26u%5C_%5Cw%3D768%26 u%5C_%5Cah%3D748%26u%5C_%5Caw%3D1024%26u%5C_%5Ccd%3D32%26u%5C_%5Cnplug%3D1%26u%5 C_%5Cnmime%3D34%26dff%3Dverdana%26dfs%3D13%26adx%3D126%26ady%3D4032%26biw%3D980% 26bih%3D644%26eid%3D317150304%26oid%3D3%26ref%3Dhttps%3A%2F%2Fwww%5C.%5Cninjette %5C.%5Corg%2Findex2%5C.%5Cphp%26rx%3D0%26jtc%3D1%26eae%3D0%26fc%3D8%26brdim%3D0% 2C0%2C0%2C0%2C1024%2C0%2C0%2C0%2C1138%2C297%26vis%3D1%26abl%3DNS%26ppjl%3Df%26fu %3D16%26bc%3D1%26ifi%3D3%26xpc%3DLaYjWez9y1%26p%3Dhttps%3A%2F%2Fwww%5C.%5Cninjet te%5C.%5Corg%26dtd%3DM&account=adwynne&campaign=us&adgroup=1&banner=728-90&it=1420861428413&refurl=https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9679775304269022&format=728x90_as&output=html&h=90&slotname=6109939056&adk=219048414&w=728&lmt=1420890224&flash=0&url=https://www.ninjette.org/forums/showthread.php?p=969828#post969828&dt=1420861392429&bpp=165&shv=r20150106&cbv=r20141212&saldr=aa&prev_fmts=728x90_as&correlator=6459722668033&frm=20&ga_vid=64562463.1418108112&ga_sid=1420853954&ga_hid=1273956634&ga_fc=1&u_tz=-480&u_his=3&u_java=0&u_h=1024&u_w=768&u_ah=748&u_aw=1024&u_cd=32&u_nplug=1&u_nmime=34&dff=verdana&dfs=13&adx=126&ady=4032&biw=980&bih=644&eid=317150304&oid=3&ref=https://www.ninjette.org/index2.php&rx=0&jtc=1&eae=0&fc=8&brdim=0,0,0,0,1024,0,0,0,1138,297&vis=1&abl=NS&ppjl=f&fu=16&bc=1&ifi=3&xpc=LaYjWez9y1&p=https://www.ninjette.org&dtd=M
Link 2
http:// lemode-mgz (dot) com/brains/index.html?voluumdata=vid..00000004-fa8c-433c-8000-000000000000__vpid..c4013800-9874-11e4-8a15-28b4bfc977b0__caid..421c6fa2-56dc-4806-b48a-6b536e9f021f__lid..97969e83-b7cf-497c-8b12-96497e80e4ce__rt..R__oid1..7495fcb7-0aa3-48d7-930b-8bc8f6f511a7__var1..adwynne__var2..us__var3..1__var4..728-90__var5..1420861373302__var6..https%3A%2F%2Fgoogleads%5C.%5Cg%5C.%5Cdoubleclick %5C.%5Cnet%2Fpagead%2Fads%3Fclient%3Dca-pub-9679775304269022%26format%3D728x90%26output%3Dhtml%26h%3D90%26slotname%3D0232394 688%26adk%3D1419795359%26w%3D728%26lmt%3D1420890170%26flash%3D0%26url%3Dhttps%3A %2F%2Fwww%5C.%5Cninjette%5C.%5Corg%2Fforums%2Fshowthread%5C.%5Cphp%3Fp%3D969828% 23post969828%26dt%3D1420861369999%26bpp%3D39%26shv%3Dr20150106%26cbv%3Dr20141212 %26saldr%3Daa%26correlator%3D1913148438529%26frm%3D20%26ga%5C_%5Cvid%3D64562463% 5C.%5C1418108112%26ga%5C_%5Csid%3D1420853954%26ga%5C_%5Chid%3D829290857%26ga%5C_ %5Cfc%3D1%26u%5C_%5Ctz%3D-480%26u%5C_%5Chis%3D2%26u%5C_%5Cjava%3D0%26u%5C_%5Ch%3D1024%26u%5C_%5Cw%3D768%26 u%5C_%5Cah%3D748%26u%5C_%5Caw%3D1024%26u%5C_%5Ccd%3D32%26u%5C_%5Cnplug%3D1%26u%5 C_%5Cnmime%3D34%26dff%3Dverdana%26dfs%3D13%26adx%3D410%26ady%3D10%26biw%3D980%26 bih%3D644%26eid%3D317150304%2C828064100%26oid%3D3%26ref%3Dhttps%3A%2F%2Fwww%5C.% 5Cninjette%5C.%5Corg%2Findex2%5C.%5Cphp%26rx%3D0%26eae%3D0%26fc%3D8%26brdim%3D0% 2C0%2C0%2C0%2C1024%2C0%2C0%2C0%2C1138%2C747%26vis%3D1%26abl%3DCS%26ppjl%3Du%26sr r%3D1%26fu%3D16%26bc%3D1%26ifi%3D1%26xpc%3Dm4gPTMeMUK%26p%3Dhttps%3A%2F%2Fwww%5C .%5Cninjette%5C.%5Corg%26dtd%3D529&account=adwynne&campaign=us&adgroup=1&banner=728-90&it=1420861373302&refurl=https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9679775304269022&format=728x90&output=html&h=90&slotname=0232394688&adk=1419795359&w=728&lmt=1420890170&flash=0&url=https://www.ninjette.org/forums/showthread.php?p=969828#post969828&dt=1420861369999&bpp=39&shv=r20150106&cbv=r20141212&saldr=aa&correlator=1913148438529&frm=20&ga_vid=64562463.1418108112&ga_sid=1420853954&ga_hid=829290857&ga_fc=1&u_tz=-480&u_his=2&u_java=0&u_h=1024&u_w=768&u_ah=748&u_aw=1024&u_cd=32&u_nplug=1&u_nmime=34&dff=verdana&dfs=13&adx=410&ady=10&biw=980&bih=644&eid=317150304,828064100&oid=3&ref=https://www.ninjette.org/index2.php&rx=0&eae=0&fc=8&brdim=0,0,0,0,1024,0,0,0,1138,747&vis=1&abl=CS&ppjl=u&srr=1&fu=16&bc=1&ifi=1&xpc=m4gPTMeMUK&p=https://www.ninjette.org&dtd=529
Link 3
http:// lemode-mgz (dot) com/fd/dietluma/indexdr.html?voluumdata=vid..00000005-ac8c-47d9-8000-000000000000__vpid..c4013800-9874-11e4-8b1f-5f626e4129b6__caid..421c6fa2-56dc-4806-b48a-6b536e9f021f__lid..b764f05e-994e-4547-a58e-9deaa12b3008__rt..R__oid1..62cf4549-90d3-4eae-a241-9097bd88f605__var1..adwynne__var2..us__var3..1__var4..728-90__var5..1420861321075__var6..https%3A%2F%2Fgoogleads%5C.%5Cg%5C.%5Cdoubleclick %5C.%5Cnet%2Fpagead%2Fads%3Fclient%3Dca-pub-9679775304269022%26format%3D728x90%26output%3Dhtml%26h%3D90%26slotname%3D0232394 688%26adk%3D1419795359%26w%3D728%26lmt%3D1420890119%26flash%3D0%26url%3Dhttps%3A %2F%2Fwww%5C.%5Cninjette%5C.%5Corg%2Fforums%2Fnewreply%5C.%5Cphp%3Fdo%3Dnewreply %26p%3D969823%26dt%3D1420861319154%26bpp%3D45%26shv%3Dr20150106%26cbv%3Dr2014121 2%26saldr%3Daa%26correlator%3D2272176189441%26frm%3D20%26ga%5C_%5Cvid%3D64562463 %5C.%5C1418108112%26ga%5C_%5Csid%3D1420853954%26ga%5C_%5Chid%3D454583309%26ga%5C _%5Cfc%3D1%26u%5C_%5Ctz%3D-480%26u%5C_%5Chis%3D9%26u%5C_%5Cjava%3D0%26u%5C_%5Ch%3D1024%26u%5C_%5Cw%3D768%26 u%5C_%5Cah%3D748%26u%5C_%5Caw%3D1024%26u%5C_%5Ccd%3D32%26u%5C_%5Cnplug%3D1%26u%5 C_%5Cnmime%3D34%26dff%3Dverdana%26dfs%3D13%26adx%3D410%26ady%3D10%26biw%3D980%26 bih%3D644%26eid%3D317150304%26oid%3D3%26ref%3Dhttps%3A%2F%2Fwww%5C.%5Cninjette%5 C.%5Corg%2Fforums%2Fshowthread%5C.%5Cphp%3Fp%3D969827%26rx%3D0%26eae%3D0%26fc%3D 8%26brdim%3D0%2C0%2C0%2C0%2C1024%2C0%2C0%2C0%2C1138%2C747%26vis%3D1%26abl%3DCS%2 6ppjl%3Du%26srr%3D1%26fu%3D16%26bc%3D1%26ifi%3D1%26xpc%3D8pu01HntzZ%26p%3Dhttps% 3A%2F%2Fwww%5C.%5Cninjette%5C.%5Corg%26dtd%3D558&account=adwynne&campaign=us&adgroup=1&banner=728-90&it=1420861321075&refurl=https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-9679775304269022&format=728x90&output=html&h=90&slotname=0232394688&adk=1419795359&w=728&lmt=1420890119&flash=0&url=https://www.ninjette.org/forums/newreply.php?do=newreply&p=969823&dt=1420861319154&bpp=45&shv=r20150106&cbv=r20141212&saldr=aa&correlator=2272176189441&frm=20&ga_vid=64562463.1418108112&ga_sid=1420853954&ga_hid=454583309&ga_fc=1&u_tz=-480&u_his=9&u_java=0&u_h=1024&u_w=768&u_ah=748&u_aw=1024&u_cd=32&u_nplug=1&u_nmime=34&dff=verdana&dfs=13&adx=410&ady=10&biw=980&bih=644&eid=317150304&oid=3&ref=https://www.ninjette.org/forums/showthread.php?p=969827&rx=0&eae=0&fc=8&brdim=0,0,0,0,1024,0,0,0,1138,747&vis=1&abl=CS&ppjl=u&srr=1&fu=16&bc=1&ifi=1&xpc=8pu01HntzZ&p=https://www.ninjette.org&dtd=558
Alex January 9th, 2015, 09:06 PM But what sent you there? What page were you on, or what link did you click for it to take you there? Did it just happen in the background with no user input?
Finesse January 9th, 2015, 09:06 PM yeah I got the same thing as Teri
I clicked on 'many questions' thread from the general motorcycling forum and it took me to that page, and then instantly redirected me to the skin care site
NevadaWolf January 9th, 2015, 09:10 PM But what sent you there? What page were you on, or what link did you click for it to take you there? Did it just happen in the background with no user input?
I was on this page, and clicked the Quote button under Finesse's "Mozilla Firefox" response.
I began typing in the Message box.
The page reloaded and landed on that site.
Clicked Back, returned to the New Reply page with Finesse's quote in the box,
Page reloaded again, skin care had changed to Forbes,
Closed tab, opened new tab, navigated back to her response, then Quote again.
Page reloaded as I was typing.
Third time I got the phishing warning from Chrome. Proceeded through the warning so I could copy the URL.
Closed Chrome, reopened it, came back to this page, clicked Quote again and managed to respond with how to clear the cache.
Alex January 9th, 2015, 09:13 PM Thx, NW; it is definitely google ads. A pile of people are reporting the same issues:
https://productforums.google.com/forum/#!topic/adsense/szfNNkPrkLI
https://productforums.google.com/forum/#!topic/adsense/3q1wwM-j7Cg
Google is working to weed out the crap, and I added these domains to our own block list. It's a bit like whackamole, as if Google lets the schmoes through, there can always be more, but it happens pretty rarely as they are generally on top of things. Sorry for the trouble, and for the short term if you do disable ads in your control panel the problem shouldn't re-occur, at least on this site.
Finesse January 9th, 2015, 09:20 PM cheers! :)
alex.s January 9th, 2015, 09:20 PM ABP is your friend
Alex January 9th, 2015, 09:25 PM (it's not my friend. at least not a close one.) :)
|
|