![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
This is the 2nd time in about as many days that when clicking a link, I've gotten a page like this, which is not the link I clicked:
[Firefox Logo - making it look like it's a Mozilla survey, but it isn't]
2019 Annual Visitor Survey undefined
Browser Opinion survey
April 21, 2019
Congratulations!
You’ve been personally selected to take part in our 2019 Annual Visitor Survey! Tell us what you think of Firefox and to say “Thank You” you’ll receive a chance to get an Apple iPhone Xs!
Question 1 of 4:
How often do you use Firefox ?
When I go back and click the link again, the expected page opens.
Today it happened upon clicking a link in the Google search results. Yesterday, I don't remember which page I had clicked the link from.
It seems to be malware:
https://duckduckgo.com/?q=firefox+%222019+Annual+Visitor+Survey%22&ia=web
(But none of the links in those search results look particularly trustworthy to me.)
An MBAM scan didn't find anything.
Currently doing an scan with my antivirus software.
... it didn't detect anything either.
This has been happening in Waterfox. I wonder if one of my add-ons got hacked. Hopefully not Waterfox itself.
Or maybe the sites that the links I clicked go to were hacked, to occasionally redirect the visitor to this bogus survey site. Both times, the domain of the survey URLs were different:
http://prize8384.bestlifehere24.life/...
http://competition8713.bumblbee82.life/...
[Firefox Logo - making it look like it's a Mozilla survey, but it isn't]
2019 Annual Visitor Survey undefined
Browser Opinion survey
April 21, 2019
Congratulations!
You’ve been personally selected to take part in our 2019 Annual Visitor Survey! Tell us what you think of Firefox and to say “Thank You” you’ll receive a chance to get an Apple iPhone Xs!
Question 1 of 4:
How often do you use Firefox ?
When I go back and click the link again, the expected page opens.
Today it happened upon clicking a link in the Google search results. Yesterday, I don't remember which page I had clicked the link from.
It seems to be malware:
https://duckduckgo.com/?q=firefox+%222019+Annual+Visitor+Survey%22&ia=web
(But none of the links in those search results look particularly trustworthy to me.)
An MBAM scan didn't find anything.
Currently doing an scan with my antivirus software.
... it didn't detect anything either.
This has been happening in Waterfox. I wonder if one of my add-ons got hacked. Hopefully not Waterfox itself.
Or maybe the sites that the links I clicked go to were hacked, to occasionally redirect the visitor to this bogus survey site. Both times, the domain of the survey URLs were different:
http://prize8384.bestlifehere24.life/...
http://competition8713.bumblbee82.life/...
no subject
Date: 2019-04-22 07:04 am (UTC)From:--Are you clicking links in search results that bring you to the fake survey?
--Is it a redirect to a website or do you see a popup window in the browser (I'm mostly seeing the latter screencapped in search results I check)?
I'm just curious when/where one might run into this so I can try to avoid it. My use of Waterfox is limited to sorting/storing/reading bookmarks and doing CSS stuff on DW but that said, I have Waterfox "customized" a bit: after I installed it maybe over a year ago, I went into about:config and ripped out anything that can update the browser or my add-ons, because I didn't want my (mostly ancient) add-ons breaking with auto-updates.
Whatever I did worked, so I need to watch things - maybe a bit more carefully than most.
no subject
Date: 2019-04-22 02:08 pm (UTC)From:I checked my browser history using Nirsoft's BrowsingHistoryView tool, as Firefox's history list filters out duplicate entries, making it harder to see what exact order you did things in.
Yesterday on 4/21:
I did this search in DuckDuckGo:
https://duckduckgo.com/?q=android+screen+goes+black+during+call
Then, I clicked one of the top search results (right-click, to open in new tab):
http://www.smartmobilephonesolutions.com/content/cell-phone-shows-a-black-screen-during-or-after-a-phone-call
My history first shows the above URL having been opened, and next is the URL to the bogus survey, with "Visited From" equal to the above URL. So I suspect now that the above site is infected, and that it redirected me. The new tab that opened for me only showed the survey. I closed that tab, and re-clicked the link in the search results to get the correct page to display. It displayed then, but with some error message, so I closed it.
The day before on 4/20:
I did this search:
https://duckduckgo.com/?q=mayor+steven+benjamin+mailing+list
I had clicked this link in the search results: https://stevebenjamin.com/
My history first shows the above URL having been opened, and 1 second later is the URL to the bogus survey, with "Visited From" equal to the above URL. So again, I suspect the above site is infected. [ But I guess it might still instead be a problem in my browser or an add-on of mine? ]
Upon closing the tab, and re-clicking the link in the search results, the correct page displayed, without any error.
I'm running the latest Waterfox, 56.2.9. With 11 add-ons. Since this has only happened twice so far, and isn't recreatable by opening the same sites again, I can't test if disabling the add-ons would fix the problem.
From what I read, the end of the survey prompts you to buy some things, so that seems to be its main purpose. I don't think it does anything else nefarious to the machine (whether it's on my end or the server end). But I can't be sure.
no subject
Date: 2019-04-22 09:09 pm (UTC)From:I would've suggested disabling add-ons to test things out, too, but if it's not happening now then there's probably no point. Short of that, I might also try googling the names of said add-ons to see if anyone else has complained of adware or other malware being attached to them, but if the issue doesn't come up again then there's probably no need.
(Sometimes, it occurs to me, I can find strange things by checking about:config - so for this one I might type "redirect" or "popup" or similar into the about:config search box to see what comes up. I've found some odd/surprising stuff just by looking through it.)
no subject
Date: 2019-04-23 04:15 am (UTC)From:I checked my about:config, as well as running tasks in Task Manager, and my Windows folders for any files with recent dates. Haven't found anything suspicious yet.
I ran this scanner; it didn't detect any rootkits:
https://support.kaspersky.com/viruses/utility#TDSSKiller
I ran AdwCleaner; it didn't find anything.
no subject
Date: 2019-04-26 02:37 am (UTC)From:So, it was maybe possibly hacked. Google's cache brings up a mixture of 404 pages (on their own servers, not on the website's) and archived pages but with older page dates, so without looking through their cache and archive.org's copy some more it's hard to say.
I have a feeling the mayor's personal website might have had an issue as well, as the page you visited is no longer showing up in results; instead, DDG points us to https://columbiasc.net/mayor/about. Neither Google nor DDG has removed his site from results, nor does either flag either possibly messed-with website in question as "possibly hacked", so I don't know.
Neither redirected me or gave me any popup to the survey while checking in Waterfox tonight (version 56.2.0, released Jan. 2018). Clicked the "check for updates" button while I was in there and see it's offering to upgrade to 56.2.9, so I must've missed something in about:config, because if I'd done the ripping out of things right that button wouldn't even work. Oh, well.
no subject
Date: 2019-04-26 04:39 am (UTC)From:The http://www.smartmobilephonesolutions.com/ site is now giving an error which lists a user id and password (Access denied for user 'bond007_james'@'localhost' (using password: YES)
Whether that has anything to do with it being hacked or not, I can't say... maybe someone hacked that id & weak password, so the webmaster disabled its access? Either way, it's still bad coding to have the id & password displayed to anyone opening the page.
no subject
Date: 2019-04-26 04:46 am (UTC)From:no subject
Date: 2019-04-26 04:49 am (UTC)From:Which I was not getting just minutes before I wrote my earlier replies tonight to you.
ETA: The lock.inc thing looks like: "Wow, websites can get ransomwared?" maybe at first glance but is actually a known thing in Drupal, perhaps to prevent race conditions: https://api.drupal.org/api/drupal/includes%21lock.inc/function/lock_may_be_available/7.x
Database meltdown perhaps (or hack)? Sort of interesting. Googled the heck out of the bond007 and bond007_james portion but all I get is that Paul Manafort used something similar as his password and some Pinterests and a MySpace. IP lookup's not illuminating but does indicate malware gets hosted there (blacklisted): https://dnslytics.com/ip/104.28.29.148
And here's the top result for "'@'localhost' (using password: YES)": https://stackoverflow.com/questions/20353402/access-denied-for-user-testlocalhost-using-password-yes-except-root-user
no subject
Date: 2019-04-26 05:10 am (UTC)From:no subject
Date: 2019-04-26 05:23 am (UTC)From:Either way Google results are pretty voluminous so the error does seem common enough.