When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.
Just started getting embedded redirects off of Corvette Forum. These are damned annoying, they come through your advertisers, who are inserting encrypted redirects embedded in javascript.
I've brought this up before, they disappeared for a while. But this weekend, they're back on.
This happens just sitting viewing the Corvette Forum page. No clicking required. Then a rapid series of uncommanded redirects, which finally sent my browser to a malware site that my router blocked cold.
Again - no clicking required. Just viewing the CF page.
Please provide some of the information you're stating so that we can investigate with some specific details.
I assume this is also related to a blank/black ad box that may appear either up top or bottom?
I know the advertising team was aware of this issue and was reviewing it the last time.
Originally Posted by larrysb
Just started getting embedded redirects off of Corvette Forum. These are damned annoying, they come through your advertisers, who are inserting encrypted redirects embedded in javascript.
I've brought this up before, they disappeared for a while. But this weekend, they're back on.
This happens just sitting viewing the Corvette Forum page. No clicking required. Then a rapid series of uncommanded redirects, which finally sent my browser to a malware site that my router blocked cold.
Again - no clicking required. Just viewing the CF page.
Got another redirect moments ago. The thing is, I don't know what element on the page causes it, as there are many active JS running. One of them is almost certainly eval'ing an image, which contains an encoded URL that's been tagged as a image or jpg or some such.
Again - I did nothing. I was just reading a post. No clicking, so it comes through an ad re-load. There's so freaking many of them on the CF site, that I'm not sure how to tell what element it was.
They go by so fast but it landed at this URL after several redirects (the usual "virus detected...download this" scam:
I think this is related to the blank/black ad block that is also causing other issues in the network. If you can confirm that, again, that would help. We're investigating the issue and working the ad team.
Yes, there is a lot of JS. Not all JS is bad. Over the years, websites like CorvetteForum have grown and evolved as technology has changed and how people use and expect of the site has as well. The site is not a static site with text and images. You've got Infinite Scroll and Related Threads enabled, Auto Save Draft, Advanced Image Uploader, etc., that are all features that been developed and take coding (such as JS) to function. Not to mention legacy functions that also require JS (such as the drop-down menus). Turning off JS and browsing popular sites will show just how much JS is used to the point some sites will not load properly.
Originally Posted by larrysb
Got another redirect moments ago. The thing is, I don't know what element on the page causes it, as there are many active JS running. One of them is almost certainly eval'ing an image, which contains an encoded URL that's been tagged as a image or jpg or some such.
Again - I did nothing. I was just reading a post. No clicking, so it comes through an ad re-load. There's so freaking many of them on the CF site, that I'm not sure how to tell what element it was.
They go by so fast but it landed at this URL after several redirects (the usual "virus detected...download this" scam:
So - here's some fun. I blocked all of adscore ( xx.adsco.re) domains at my router level, which causes the redirects to fail. Caught one today here on Corvette Forum.
I changed "http" in the redirect to "xttp" to prevent the hapless from accidentally clicking it.
So the embedded image data, decided by JS, causes a redirect from this rs.eujmj3g.space server, hands it off to adscore (who are providing cover for these kinds of malware redirects).
I'll add this domain to my router blacklist. We'll eventually, hopefully figure out which ad vendor is slipping this crap in. It hits a number of popular web boards, not just corvette forum.
For the users reading along, the scheme is to create a fake "image" file, with the redirect URL embedded as data and a javascript to run on your browser to extract it. They slip this on through adserververs, who kinda scan them looking for this kind of stuff. But they slip through. The ads on the page are active and reload on their own. Sooner or later, the malware redirect comes up on your browser, the fake image data is decoded, then a double-hand-off occurs and you get sent to a "download flash player" or "your mac is infected with three viruses" link.
These people are scum.
I'd love to see more done to stop them. It's BS. It also degrades the business value of ever web provider who gets this garbage slipped in on them.
J T has asked about this before. I'm getting better at intercepting these before they actually do the redirect through adscore to the malvertising site.
I have a screen shot of what happens right before the redirect:
J T has asked about this before. I'm getting better at intercepting these before they actually do the redirect through adscore to the malvertising site.
I have a screen shot of what happens right before the redirect:...
Thank you for taking the time to do this
I would like to ask you, what do I need to add to my router to block this behavior? You mentioned it above in one of your posts, but could you please tell us exactly what needs to be written to blacklist it?
I would like to ask you, what do I need to add to my router to block this behavior? You mentioned it above in one of your posts, but could you please tell us exactly what needs to be written to blacklist it?
Thanks again!
There is no easy answer to your question. Filtering on the router level, how you do so is going to vary greatly from one to the next due to all the different brands and models of routers out there. One can filter at the Windows PC level via localhost file. All this goes a bit beyond the scope of this website/forum. Feel free to PM or use Google with your specifics. Additionally, these types of concerns have been part of the Internet (like Spam) and so there is no one permanent solution as sources, strategies, etc., change.
That said, the teams were reviewing and discussing this (and other) material regarding this concern on Friday so the teams continue to address these concerns.
Router level blocking depends a lot on your router. I have a fairly mdoern Asus router, which allows for filtering on keywords in URLS.
You can, at least on MacOSX and Linux systems, edit the 'hosts' file on the system ( in /etc/hosts ).
However, I'm find that for some inexplicable reason, Safari resolves DNS different for HTTP vs HTTPS. It respects /etc/hosts for http, but not https. Who the heck knows why they did that.
I do NOT have an issue with advertisers!!! That' perfectly fine with me. Legitimate advertising is completely OK in my book.
I have a lot hatred for malvertising which is what all these pop-ups and redirects are all about. They're hijacking Internet Brands users to try and trick them into installing malware.
What happens is this:
Internet Brands contracts with ad-insertion providers and get paid for "impressions" and clicks through. There's a rotating banner ad at the top and bottom of the page. If you leave it sit, every few seconds a new banner pops up. These advertisers want to be sure they're not being ripped off with fake views by robots and what not, so they use bot detectors and browser fingerprinting services, like adscore.
The problem comes in when some unscrupulous outfit buys ad impressions and they encode the malware redirects into hidden things, like dummy images. They write little javascripts that decode the blocks, and then they bounce through the robot detection services (who are often on the shady side). The 'bot detection server is supposed to identify real browsers vs. bots and send them the real people a real ad, while sending the robots nothing. The legit purpose is to circumvent click robots.
But - adscore and others, are easily abused (and they don't try real hard not to be abusable) into fingerprinting your browser and redirecting you to a malware vector. That's why Macs get redirected to the "MacKeeper" a-holes, Androids get directed to the "..google user..." scam and Windows users will often get the "your PC is infected...." . All are malvertising and either trying to force-fish you into clicking a link or downloading something harmful to your computer or phone.
Honestly, if I were an exec at Internet Brands, this crap would be way up on my priority list. There is no purpose at all in whoring out your hard-earned users to malware vectors. It's like running a nice restaurant and inviting pick-pockets to wander around and steal what they can from your customers.
They're hijacking Internet Brands users to try and trick them into installing malware.
This (and these types of attacks) are not specific to Internet Brands' sites. Some have stated this is a "CorvetteForum only" issue or "Internet Brands only" issue when, even if that might be what the member sees due to the few websites they use on a daily basis versus the amount of actual websites online, that is not the case.
I would prefer this thread keep on topic for those who want to report they're seeing the issue, along with a screen capture, and please also provide your regional location if you're reporting the issue. Please keep the discussion of router blocking, software blocking, and management operations (use of ads, etc.,) to PMs or email as it technically doesn't follow our guidelines and it sidetracks this topic from being able to provide the assistance needed for the team to continue tracking the issue.
The team is actively working on this issue and some of the information from this thread and outside of CorvetteForum has given some leads in progress of the recent spam.
Larry, Thanks for the in depth account of this plague. I seem to get a tsunami of it for a couple of days and then it disappears for a while. Only on my hand held, never on my home computer. Have you been able to determine yet who the responsible party is? Greg
CF Admins: More deep linking redirect attacks
