chizumatic.mee.nu

February 25, 2015

Browser Hijack

Just now I followed a link from BakaBT to ANN, and instead I got this address:

security-alert.norton.com.pc-okok.com

Which was a page that told me I was infected with some virus, and put up a popup advising me to call some phone number or other. (This is a common tack for malware: the people on the phone number will then tell me how to download a program that "fixes" the problem and also makes me part of their botnet.) Dismissing the popup made it appear again, meaning I couldn't close the tab. The only way to recover was to use the process manager to kill IE.

Obviously the first thing to do, which I just did, was to tell Windows Security Essentials to do a scan, and it didn't find anything.

The second thing was to clear the browser cache.

The third thing was to add "pc-okok.com" to the reject file in Proxomitron, so that I can't ever load it again. But I still want to know how my access was hijacked.

I'd also like to know how my browser found the site. "pc-okok.com" doesn't resolve through DNS, so what address is it?

UPDATE: Ah. The entire URL does resolve through DNS to 23.3.75.25, which is "a23-3-75-25.deploy.static.akamaitechnologies.com". Think I'll be sending them some email... UPDATE: Man, I think they don't want to hear from anyone. What a clumsy web interface, which I don't think worked.

The whole URL looked like this:

http://security-alert.norton.com.pc-okok.com/index-1d.html?isp=Comcast%20Business%20Communications&browser=Internet%20Explorer&browserversion=Internet%20Explorer%2011&ip=70.90.130.45&os=Windows&osversion=Windows%207

DO NOT LOAD THAT PAGE, OK?

When that URL was created, someone did a reverse DNS on my IP in order to learn that I'm on Comcast Commercial. So I assume there was some other site in between, but the IE browser history doesn't show anything that makes any sense.

The only possibility I can see is that ANN's server has been corrupted.

UPDATE: Actually, I just remembered that this kind of thing has happened before, and it was a seedy advertiser coming in via a fairly respectable ad server.

Posted by: Steven Den Beste in Computers at 02:38 PM | Comments (2) | Add Comment
Post contains 333 words, total size 2 kb.

Ben said (in the wrong thread):

This is apparently some new code for a classic attack; I've had two hijacks like this in the last two days after not having one for a year or so.

Posted by: Steven Den Beste at February 25, 2015 06:44 PM (+rSRq)

2 Yeah, pretty classic one to sneak into an ad-server.
Reminds me of the only time I ever got a virus. I was trying to diagnosis a problem on my sister's computer, and ended up hitting a similar link. (Was a Java exploit attack)
And there's a reason I run Adblock Plus & Ghostery/Disconnect. I have sympathy for the sites I visit, that it removes ad-revenue. But not enough for exposing myself to potential attack.

Posted by: sqa at February 26, 2015 05:32 AM (pNJS8)

Hide Comments | Add Comment

Enclose all spoilers in spoiler tags:
[spoiler]your spoiler here[/spoiler]
Spoilers which are not properly tagged will be ruthlessly deleted on sight.
Also, I hate unsolicited suggestions and advice. (Even when you think you're being funny.)

At Chizumatic, we take pride in being incomplete, incorrect, inconsistent, and unfair. We do all of them deliberately.

How to put links in your comment

Comments are disabled.

7kb generated in CPU 0.0039, elapsed 0.0131 seconds.
20 queries taking 0.0102 seconds, 19 records returned.
Powered by Minx 1.1.6c-pink.