Linkjacking / Redirect to Phishing Site occuring

[drudkh]

Hiya,

 

On separate computers (one being my work machine where a handful of measure are taken to prevent malware) I have experienced a redirect to a couple of domains attempting to phish credentials.  Other users seem to have experienced this as well.

 

It is of course entirely possible that my computer has been infected prior (or other user error), but please consider the possibility as well that STEP may be serving some content/script that may be causing this. 

 

An example of what occurs:

• I search (generally with DuckDuckGo) for something that I care about on the STEP forum, such as DynDoLod resources. https://duckduckgo.com/?q=dyndolod+resources+sse&t=ffab&ia=web
• I click on a link that I can see takes me to https://forum.step-project.com/topic/11462-dyndolod-2xx-full-update-post/
• After clicking that link, I (used to, see bottom) get redirected to https://q54w.redirect00002.net/?nihifa=flow
• Which in turn redirects me to https://x0z01i16003.info/en/?id=KzEgKDg4OCkgMjg2LTY1ODU
• The above links can create a bunch of awful noise and will ask you for credentials, I don't recommend clicking them.  That said, you can visit them and because you're not downloading / executing random code from the internet, it's not the end of the world.

 

To prevent this from occurring again, I have modified my HOSTS file to not allow those two domains to resolve.

0.0.0.0 q54w.redirect00002.net
0.0.0.0 x0z01i16003.info

A full description of HOSTS file modifications is available at https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

 

So to the admins I ask that you take a bit of time to review how this may be occurring and take steps to address it.

 

Thank you!

-drudkh

[alt3rn1ty]

@Mator - Not sure about detection rates either, but really whatever free anti-mal anyone uses doesnt matter, it will prevent the majority of threats just as well as any paid for product. Nothing is invulnerable.

 

TeamViewer is good for remoting if you havent heard of it before, I help family and friends from afar with that software solve many issues.

Edited November 13, 2017 by alt3rn1ty

[TechAngel85]

How and where is this site hosted?  For example, are you paying for a VPS and you took the time to install the forum software yourself?  What third party plugins are installed on the forum?  Could any of them be out of date?  What third party scripts are attempted to be loaded?  Are any on non-reputable CDNs?

This is not information that we would typically release to the public. I do understand that you're looking for a point of entry for malware on the site. However, I'm with Kabepo. If this was coming directly from our website, then everyone would be experiencing it and we'd have a ton more reports about it. Not only that, but our hosting provider would also likely catch on to the activity. The only reason this wouldn't be widespread and still coming from our website is if it was a very targeted attack (region, browser app, search engine, etc). Else, the most likely explanation is as Kabepo says; a local issue on the local system.

 

My first recommendation here is to run SuperAntiSpyware. I've used it for years while doing freelance computer repair. Download the portable version, run your system in Safe Mod without Networking, then run the scan. Clean up anything it finds. I personally do not care for MalwareBtyes.

Edit:

I personally use MS Security Essentials and just run SuperAntiSpyware once every couple months. Good practices is where it's at. I never have any issues because the common tracking cookies. I once used Avast, but found it unnecessary.

[drudkh]

https://blog.sucuri.net/2015/02/analyzing-malicious-redirects-in-the-ip-board-cms.html

 

I will run each scan suggested to me.  In turn, please review the above.  It fits this scenario quite well.

[Mator]

https://blog.sucuri.net/2015/02/analyzing-malicious-redirects-in-the-ip-board-cms.html

 

I will run each scan suggested to me.  In turn, please review the above.  It fits this scenario quite well.

Great find.

 

I actually saw some base 64 encoded stuff in the STEP code when I was looking around, though I think what I saw was probably just part of IPB.  I think this is quite likely to be the exact issue here though.

 

EDIT: This article which is linked from there is much more in-depth, definitely something we should do to investigate this Tech & Z: https://peter.upfold.org.uk/blog/2013/01/15/cleaning-up-the-ip-board-url4short-mess/

Edited November 13, 2017 by Mator

[TechAngel85]

It'll be on Z. I don't have the access to sever files on this server.

 

It should be noted that I deleted all my cookies, cleared my caches, closed the browser, opened the browser, searched the forums on Google, clicked a link, and...nothing. Worked as it should. Same thing with Firefox and Chrome.

[drudkh]

The nature of the vulnerability prevents every user from seeing it.  Like you, if I clear cookies and come back, it doesn't happen.  Nor an incognito window.

 

Mator, can you grep for $mds?  If you're on Windows, you can get a CLI grep replacement, or (way easier) Agent Ransack is good freeware that does the same thing.

Edited November 13, 2017 by drudkh

[drudkh]

You can view additional vulnerabilities in IPB at https://www.cvedetails.com/product/18333/Invisionpower-Invision-Power-Board.html?vendor_id=10268

[Mator]

The nature of the vulnerability prevents every user from seeing it.  Like you, if I clear cookies and come back, it doesn't happen.  Nor an incognito window.

 

Mator, can you grep for $mds?  If you're on Windows, you can get a CLI grep replacement, or (way easier) Agent Ransack is good freeware that does the same thing.

I don't have server access either, so it's not something I can address at the moment.

[DoubleYou]

And when it happened to you, how was you accessing the site?

Via the View New Content button. Only happens when I access STEP website, which is why I think it is on your end. I can browse for hours on other websites with no trouble. Windows Defender detects no problems on my Windows 10 computer. I will try looking at the source code in the browser next time it happens and see if I can see anything. I will try and see if Microsoft Edge behaves the same.

[DoubleYou]

Tested with Microsoft Edge. Steps I used:

 

1. Used Bing to search for "step project forum"

2. Clicked the link to the forum.

3. Within a few seconds I was transferred to the phishing site.

 

So if it is on my side, it infected both Chrome and Edge.

[Mator]

Tested with Microsoft Edge. Steps I used:

 

1. Used Bing to search for "step project forum"

2. Clicked the link to the forum.

3. Within a few seconds I was transferred to the phishing site.

 

So if it is on my side, it infected both Chrome and Edge.

If it was a local piece of malware the browser you use wouldn't matter.  I'm fairly convinced it's not a local piece of malware though, and that it's something that inserted itself into the IPB assets via some kind of vulnerability in IPB per drudkh's previous posts.

[kabepo]

Funny, that's exactly what he used/uses!

 

I personally use Avast and Spybot S&D, but I haven't done much research lately into detection rates.  EDIT: Here's the most recent report I could find about detection rates, though I'd like to find more reports.  Always good to have multiple sources.  But this reflects what I had found previously several years ago.  Though MalwareBytes AntiMalware is incredibly popular, its detection rate for malicious software is sub-par.

These are some sites for virus detection rates:

https://www.av-comparatives.org/

https://www.av-test.org/en/

Although I think people obsess a bit too much over which antivirus "is the best". More important is being careful of what you click on, what you install, and which emails you open.

 

Malwarebytes version 2 was not very good for real-time protection, but that was not its main focus. It was very, very good for cleaning up infected machines.

Malwarebytes version 3 has improved real-time protection.

[kabepo]

Tested with Microsoft Edge. Steps I used:

 

1. Used Bing to search for "step project forum"

2. Clicked the link to the forum.

3. Within a few seconds I was transferred to the phishing site.

 

So if it is on my side, it infected both Chrome and Edge.

If you are interested to know if the infection is on your side, or to prove that it is most probably a webserver infection, then follow this procedure and report the results.

 

https://malwaretips.com/blogs/remove-browser-redirect-virus/

[drudkh]

Tech, Mator, Z: Have there been any attempts to verify this?

[TechAngel85]

Tech, Mator, Z: Have there been any attempts to verify this?

No, sorry. Z is the only one with server level access on this host and he's been fairly busy in RL.