Darkoshi

This is the 2nd time in about as many days that when clicking a link, I've gotten a page like this, which is not the link I clicked:


[Firefox Logo - making it look like it's a Mozilla survey, but it isn't]
2019 Annual Visitor Survey undefined
Browser Opinion survey
April 21, 2019
Congratulations!

You’ve been personally selected to take part in our 2019 Annual Visitor Survey! Tell us what you think of Firefox and to say “Thank You” you’ll receive a chance to get an Apple iPhone Xs!
Question 1 of 4:
How often do you use Firefox ?

When I go back and click the link again, the expected page opens.

Today it happened upon clicking a link in the Google search results. Yesterday, I don't remember which page I had clicked the link from.

It seems to be malware:
https://duckduckgo.com/?q=firefox+%222019+Annual+Visitor+Survey%22&ia=web

(But none of the links in those search results look particularly trustworthy to me.)

An MBAM scan didn't find anything.
Currently doing an scan with my antivirus software.
... it didn't detect anything either.

This has been happening in Waterfox. I wonder if one of my add-ons got hacked. Hopefully not Waterfox itself.

Or maybe the sites that the links I clicked go to were hacked, to occasionally redirect the visitor to this bogus survey site. Both times, the domain of the survey URLs were different:
http://prize8384.bestlifehere24.life/...
http://competition8713.bumblbee82.life/...

Forestfen had difficulty logging into her Yahoo Mail account today. She was being prompted to perform an extra sign-in verification step (aka 2-factor authentication). It wasn't simply a prompt advising her to set up 2-factor authentication as I sometimes get; it was actually prompting her to enter a phone number for the security code to be sent to. There was no way of bypassing it.

To Forestfen's knowledge, she hadn't previously turned on 2-factor authentication, nor had she previously entered her phone number on any Yahoo Options page.

This was corroborated by the fact that the extra sign-in verification window had an entry field for her to enter her phone number in. That was the really odd thing about it (though that didn't occur to me until later). Anyone could have entered any phone number, and have been sent a code for logging in.

I tried logging into her email account from a completely different computer, and got the same prompt as she was getting. This at least assured me that the problem wasn't due to malware on her computer.

The prompt had 2 fields, a "Country" drop-down and a "Phone Number" entry field. There were 2 push-buttons - one to receive a phone call, and the other to receive a SMS message. Forestfen first tried the phone call option (she said she got an automated call with a 3-digit number), and then the SMS option (which sent a 5-digit number), and finally got logged in.

The Yahoo Account info page shows "second sign-in verification" is flagged as being in "beta".
I suppose this must be some bug in their logic.


Crossposted from Dreamwidth. Comments there:
I'd prefer you to leave comments on the Dreamwidth page rather than here;
you may do so anonymously or with OpenID.

I got an LJ Notice that "grevvlad" added me as a friend. So I looked at their profile. It doesn't show me on their friends list, so I suppose they added me and then removed me. I couldn't figure out if it was a real account/person, or something spammy/nefarious.

Their LJ seems to only have videos posted. If you click on some of their interests... say "moontale"... it shows several communities where this person is the only, or nearly the only poster. And the things posted on those communities are again mostly videos - music videos. Dark/industrial/metal type music. As well as videos of an anti-German(?) slant.

Certainly suspicious. But if it is something spammy, it is more complex than usual. And what is the purpose?

Ah! As I was browsing a few of those LJ pages, I got a popup that my MalwareBytes blocked something... so the purpose must be to install malware on people's computers, or something nefarious indeed.

Yay! for MalwareBytes Anti-Malware PRO. I installed it with the real-time protection module this weekend, after buying a license (4 licenses actually... one for my friend's computer, one for my mom's, one for Qiao, and one for me).

Today's log:
08:31:29 *** MESSAGE Protection started successfully
08:31:34 *** MESSAGE IP Protection started successfully
21:26:59 *** IP-BLOCK 82.146.59.111 (Type: outgoing, Port: 49523, Process: firefox.exe)
21:50:49 *** IP-BLOCK 82.146.59.111 (Type: outgoing, Port: 49799, Process: firefox.exe)

What is the purpose of the fake LJ accounts that just have bunches of links to all kinds of pages?

[I decided not to post the links, in case they do have malware in them]

The links are given random names and seem to point to webpages that aren't real either - just more bunches of strange links. If the links went to pages that were trying to sell stuff, it would make sense to me. But these just seem strange. Maybe the links are pointing to webpages that have malware in them, and their purpose is to lure someone without the appropriate malware-protection into clicking on the links and getting infected?

I guess they generate the random names in hopes of getting search engines to index them, and getting traffic from the search engines.