non-issue Linkjacking / Redirect to Phishing Site occuring

[drudkh]

Hiya,

 

On separate computers (one being my work machine where a handful of measure are taken to prevent malware) I have experienced a redirect to a couple of domains attempting to phish credentials.  Other users seem to have experienced this as well.

 

It is of course entirely possible that my computer has been infected prior (or other user error), but please consider the possibility as well that STEP may be serving some content/script that may be causing this. 

 

An example of what occurs:

• I search (generally with DuckDuckGo) for something that I care about on the STEP forum, such as DynDoLod resources. https://duckduckgo.com/?q=dyndolod+resources+sse&t=ffab&ia=web
• I click on a link that I can see takes me to https://forum.step-project.com/topic/11462-dyndolod-2xx-full-update-post/
• After clicking that link, I (used to, see bottom) get redirected to https://q54w.redirect00002.net/?nihifa=flow
• Which in turn redirects me to https://x0z01i16003.info/en/?id=KzEgKDg4OCkgMjg2LTY1ODU
• The above links can create a bunch of awful noise and will ask you for credentials, I don't recommend clicking them.  That said, you can visit them and because you're not downloading / executing random code from the internet, it's not the end of the world.

 

To prevent this from occurring again, I have modified my HOSTS file to not allow those two domains to resolve.

0.0.0.0 q54w.redirect00002.net
0.0.0.0 x0z01i16003.info

A full description of HOSTS file modifications is available at https://blog.achievable.me/tech/edit-hosts-file-on-windows-mac-or-linux/

 

So to the admins I ask that you take a bit of time to review how this may be occurring and take steps to address it.

 

Thank you!

-drudkh

[Mator]

Thanks for posting this here.  I'm unable to recreate this issue on my machine (testing with multiple browsers and all protection disabled), but I'll test on some other computers to see if I can get different results.

[TechAngel85]

I have attempted to reproduce this on my phone without any issues coming up. I'll try on my computer when I get home.

 

What browser are you using?

[drudkh]

Firefox, latest.  It's definitely erratic - if it occurs and I go back, it doesn't occur again. 

[TechAngel85]

I have not been able to reproduce this on my PC either.

[dreadflopp]

This has never happened to me. I am most of the times to lazy to create bookmarks and resorts to google to navigate to the STEP page that I want, even if it is my own wiki/forum pages. Maybe google prevents some phishing sites from showing up? I don't use duckduckgo.

I've had viruses on my pc before that has caused the behaviour you describe, but it sounds like you should know if you had one?

[kabepo]

This has never happened to me. I am most of the times to lazy to create bookmarks and resorts to google to navigate to the STEP page that I want, even if it is my own wiki/forum pages. Maybe google prevents some phishing sites from showing up? I don't use duckduckgo.

I've had viruses on my pc before that has caused the behaviour you describe, but it sounds like you should know if you had one?

Infected web browsers on the local PC commonly can cause exactly this behaviour.

 

The OP is very premature.

The first step (excuse the pun) should be to investigate the local PCs and verify they are not causing the problem.

[Mator]

The OP is very premature.

The first step (excuse the pun) should be to investigate the local PCs and verify they are not causing the problem.

The thing is that multiple users have reported this behavior when visiting the STEP site, making me think there's something afoot.  But if we can't recreate the issue and get some diagnostic information we won't be able to fix it (and it is most likely not related to STEP).

[DoubleYou]

I have had this happen to me several times, only on the STEP website. I have Google Chrome. I have Ublock Origin installed as my ad blocker.

[TechAngel85]

I have had this happen to me several times, only on the STEP website. I have Google Chrome. I have Ublock Origin installed as my ad blocker.

And when it happened to you, how was you accessing the site?

[GrantSP]

Chrome with UBlock Origin and I have never experienced this. Also been running Windows 10 for many months now.

[kabepo]

The thing is that multiple users have reported this behavior when visiting the STEP site, making me think there's something afoot.  But if we can't recreate the issue and get some diagnostic information we won't be able to fix it (and it is most likely not related to STEP).

Multiple user reports is still completely consistent with a web browser infection.

Web browser hijackers do not infect just one PC. A successful web browser hijacker will infect as many PCs as possible, and redirect all of them to their preferred set of websites.

So multiple user reports are expected, and just confirms the web browser hijacker is successfully doing what it was created to do - to infect PCs and redirect web requests. A single user report would be the unusual event.

 

Infecting a web browser on a local PC is a relatively easy thing to do. Especially as many end users are completely clueless.

Infecting a web server is also possible, but is a bit harder to achieve.

 

If I was forced to choose between the easy explanation (web browser hijacker) and the harder explanation (web server infection), I would choose the easy one.

Especially as the OP offers no evidence that they have really considered nor investigated the possibility of a web browser infection.

 

If the STEP web server was compromised shouldn't a much larger number of people (potentially everyone) be seeing these same problems?

Edited November 13, 2017 by kabepo

[drudkh]

And when it happened to you, how was you accessing the site?

How and where is this site hosted?  For example, are you paying for a VPS and you took the time to install the forum software yourself?  What third party plugins are installed on the forum?  Could any of them be out of date?  What third party scripts are attempted to be loaded?  Are any on non-reputable CDNs?

 

 

 

 

 

 

kabepo, it's occurring to multiple users across multiple browsers, in addition to myself (which occurred across multiple machines, in different networks, one being a work network where every machine has malware protection).  If you are going to continue to engage, please help us reproduce this or suggest a piece of software that you would like me to use to scan my home machine.  I'll be happy if something turns up and there's nothing wrong with the STEP forum.  Otherwise, you are actually undermining and misdirecting the discussion.

 

I have had this happen to me several times, only on the STEP website. I have Google Chrome. I have Ublock Origin installed as my ad blocker.

 

 

I remember having this happen to me twice when I tried to visit the STEP Project site. First time was probably like two months ago or something, so I'm surprised no one has mentioned anything about it anywhere until now.

At least as a Firefox user, the page that came up for me was red, had the Firefox logo, made a loud alarm-like beeping, and wanted me to call a number to remove a thousand viruses on my computer- which is obviously total BS and a scam. I pulled my Ethernet cord both times and ran a virus and malware scan.

 

https://www.reddit.com/r/skyrimmods/comments/7c90zf/stepprojectcom_security_woes_and_what_to_do_about/dpo4f7u/

 

 

Yeah I got a ******* heart attack when I got assaulted by beeps. Not proud of that scream.

 

https://www.reddit.com/r/skyrimmods/comments/7c90zf/stepprojectcom_security_woes_and_what_to_do_about/dpo1u0b/

Edited November 13, 2017 by drudkh

[alt3rn1ty]

I have never had the problem on STEP, I'm using Chromium and UBlock Origin (Additionally to UBlock Origins options / 3rd party filters, I have MVPS Hosts enabled (which famously has been the best anti-malware hosts file many other Ad Block lists are based upon for many years).

 

A recommendation for doing a local scan : Forget the big players grabbing your money ( Norton / Kaspersky / McAfee etc etc ) Just use Windows Defender (which has evolved from what used to be Microsoft Security Essentials to replace their own old Windows Defender), and for a second opinion the best Scanner I find is MalwareBytes AntiMalware

 

I generally just steer clear of porn or warez / cracks sites, let Windows Defender scan everything that downloads, and occasionally do a good scan of machines with Malwarebytes. All machines in our house have been free of any issues for many years now using this software and personal behaviour.

 

 

For anyone reading who have been using any of the big name money grabbers, if you ever paid with direct debit yearly subscribed, make sure you get their fingers out of your bank account before you uninstall the system hogging pile of crap. They can be a PITA to get rid of, I did it for a relative once after he found a year later they took another payment off him when he believed they had cancelled the previous year "Oops sorry sir, our elbow doesnt know what the arse is doing". I consider Anti Virus suites these days to be worse than malware, and actually they provide a target for malware to circumvent. Once compromised, you are wasting your money .. May aswell use a free one if you are going to get compromised anyway due to your online behaviour. Uninstall the big players, they really are not worth the bother of having them take over your system. But make sure Windows Defender is made active again on completion. Then install Malwarebytes for a good scan before you go back online again.

[Mator]

A recommendation for doing a local scan : Forget the big players grabbing your money ( Norton / Kaspersky / McAfee etc etc ) Just use Windows Defender (which has evolved from what used to be Microsoft Security Essentials to replace their own old Windows Defender), and for a second opinion the best Scanner I find is MalwareBytes AntiMalware

Funny, that's exactly what he used/uses!

 

I personally use Avast and Spybot S&D, but I haven't done much research lately into detection rates.  EDIT: Here's the most recent report I could find about detection rates, though I'd like to find more reports.  Always good to have multiple sources.  But this reflects what I had found previously several years ago.  Though MalwareBytes AntiMalware is incredibly popular, its detection rate for malicious software is sub-par.  That doesn't mean you have to buy premium antivirus software, there are many other free solutions which provide better protection.  I personally use Avast free.  I've previously tried several free AV solutions including AVG and Avira.  I found AVGs interface and nagware unworkable, so I removed it.  Avira bricked my system at one point (potentially partially my fault for choosing to quarantine a file which was in System Volume Information), so I stopped using it as well.

 

Anyways, what I'd really like to do is remote into a machine which is affected by this, crack open browser developer tools, and systematically step through the JavaScript/network actions to find the source of the redirect to the malicious site(s) when opening STEP.  From here I can assess whether or not the JavaScript is getting injected into the browser from software on the local machine or is actually coming from STEP itself (hopefully).

Edited November 13, 2017 by Mator

[drudkh]

I believe that the IP Board forum or its plugins may also be worth examining.  In fact, here are two other IP Board forums suffering the same problem:

 

https://www.focusrsoc.com/forums/topic/280530-security-issue/page-7

https://customsforge.com/topic/41042-spam-paging-loading-up-when-on-forum/

 

I could not find anything related to 'x0z01i15003'.

 

I'll run Avast, but to be clear, the only executables that I run on my machine are from reputable modding sites or trusted third parties.

Edited November 13, 2017 by drudkh