Forum Feedback & Announcements forum

Alert

Very strange happenings this afternoon

by Steven Haninger / July 15, 2017 11:03 AM PDT

Using FF 54.0 64 bit in Linux Mint, I will get a skeletonized box with the following message inside:


Logon To Your Account
Shopping Account shopdaddy.co.in

The upper right side has small box with an X and also a triangle underneath that a mouse-over produces something about AdChoices. (I do use Adblock plus but it's partially disable for Cnet.) There is a forward facing arrow in a circle that, when clicked on, produces a "RansomWare Alert" message as well as audio claiming that if you close the box without calling the number given your Microsoft account will be disabled. Closing the message produces the following;

"http://microsoftsupportlinehelp.com is requesting your username and password. The site says: “0x80070424 Microsoft Security Alert: Ransomeware Threat Detected !!! Call Microsoft Help Desk: +1-800-683-9841 (TOLL-FREE) ”

The audio message also makes reference to "Error 268B3" which is an easy Google away from finding others who have reported this. What makes it go away for me is to change AdBlock plus to block Cnet ads entirely. Interestingly as well, without blocking Cnet this way, I will get an offer using the same size and shaped skeletonized box offering a password finder for $9.99.

This has been happening today only and only when I boot Linux and not Windows. I suspect this is not caused by a malicious program that's been installed on my machine but by a malicious ad that runs on the Cnet site as this only happens here. I'll keep an eye on it.

Post a reply
Discussion is locked
You are posting a reply to: Very strange happenings this afternoon
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Very strange happenings this afternoon
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Well, it's not from Microsoft.
by R. Proffitt Forum moderator / July 15, 2017 11:37 AM PDT

It's a scam popup. Usually some infected ad server. Not your PC, phone, tablet or smart device.

Collapse -
Scam popup indeed
by Steven Haninger / July 15, 2017 12:11 PM PDT

but, thus far, only when I enter the Cnet forums with AB+ disabled for the site or allowing for "non-intrusive" ads. Checking the list of AB+ non-intrusives does show references to Googles "ad choices" so I suspect that offers a clue. I'll wait to see if others report the same thing or similar.

Collapse -
Well. Now happening on my Windows 7 installation
by Steven Haninger / July 15, 2017 12:59 PM PDT

of the same PC. Other ads that appear are for malware removal programs and Google's AdChoices seems to be a common denominator. Strange that I'm only seeing this here.

Collapse -
find out where it's coming from
by James Denison / July 15, 2017 1:22 PM PDT

and add an host file entry, something like

0.0.0.0 googleadserver.net\


or whatever it is.

Empty cache might get rid of it, but may need to remove cookies to CNET site also.

Collapse -
Further evidence that it could be my startup settings
by Steven Haninger / July 15, 2017 3:18 PM PDT

My start page has been Google search. If I change to "about:blank", I no longer get the Google AdChoices link in the Cnet forums. Since my cookies, cache and all history are cleared upon exiting FF, each restart is fairly fresh. I was under the impression that there was no sharing of cookies between web sites nor awareness of other cookies on a machine other than a web site's own. This may no longer be true. Google has announced some upcoming changes and I suspect they are at the root of this.

Collapse -
Re: Adchoices
by Kees_B Forum moderator / July 16, 2017 4:26 AM PDT
http://youradchoices.com/ tells more.

If you delete the cookies, it's not surprising they ask again. I think it's better to let them stay.

By the way, deleting what's in the cache when you exit the browser makes it slower next time. Since it's strictly local on your PC, it's totally unrelated to privacy on the web.
It's only relevant if you want to hide what sites you visit from your wife, your children and other users with administrator capabilities on your PC. They might be able to find out what you saw. Same for history. But I don't think that applies to you. So my advice is to just leave cache and history on your PC for a while.

And if you use FF I fail to see why you should have Google Search as a start page. Firefox has a nice box on top to type your search in, that's available immediately, and for me there's no need to have two such boxes when I start my browser. My start page is set to about:blank, but you might prefer another one.
Collapse -
I will try what you said
by Steven Haninger / July 16, 2017 5:36 AM PDT
In reply to: Re: Adchoices

The reason for mass deletion of history and cache is to prevent google from building a large page of suggested sites. Google is the culprit here in one way or another. I find it strange that I do not have this problem until a Google cookie is set. Why that changes what I see in the way of ads in Cnet forums only is a mystery. It's been my understanding that there's no sharing of cookies between web sites. My finding of some google ad server test cookie within the plethora those of the Cnet cookie makes me wonder if that lack of association is about to become history.

Collapse -
Culprit...maybe
by Steven Haninger / July 16, 2017 2:13 AM PDT

This might also relate to the massive number of cookies generated by Cnet. One of these is called "GoogleAdServingTest". As Sgt. Schultz would say..."Very suspicous!" Happy

Collapse -
"I do not get it."
by richteral / July 16, 2017 1:13 PM PDT
In reply to: Culprit...maybe

Addressed just recently:

https://www.cnet.com/forums/post/10cededd-fff0-41a0-8163-327e64c96721/

Now to some of the issues:

Google has become a dirty word, so why use it at all? How about Startpage at least, if not DuckDuckGo? What is so difficult? "Don´t be evil" is gone with the wind (cf. Steve Jobs):

http://bgr.com/2015/10/04/google-dont-be-evil-alphabet/

Same with Firefox; On principle, I dropped Mozilla as soon as they had dropped Brendan Eich. I have not the slightest need to use FF, and I do not get all you people who do. Slimjet (very fast) and Opera provide what I want, with Links 2 on the side if I intend to read only. (That makes three instrumental browsers in all, with TOR on the side just for the fun of it.)

By the way, on Slimjet as I write, there is no functional issue brought about by the integrated ad-blocker despite CNET not being white-listed. Moreover, Opera comes with EFF Privacy Badger that sniffs out and makes short work of intrusive cookies. So again, what the gehenna does FF do for you?

Neither of the above browsers has given me the sort of grief described by others. Why engage in digital masochism? I do not get it.

Collapse -
Ever consider going dark?
by R. Proffitt Forum moderator / July 16, 2017 1:35 PM PDT
In reply to: "I do not get it."

Did you consider running exclusively in the TAILS OS? I use this on travel.

Also, these browsers.
- Epic Privacy Browser
- Comodo Dragon
- Brave
- Tor

Collapse -
Good suggestions.
by richteral / July 17, 2017 12:24 PM PDT

I travel with a Knoppix stick, out of sheer admiration for Dr. Knopper (OK, not just because of that).

Tails will be on my shortlist when trying out several Linux distros soon; there is a laptop waiting for the standard Darik treatment before it gets a new life.

A few years back, Comodo browsers served well on Vista. TOR may be a double-edged sword - it is good to know what one is doing with it.

Collapse -
While I would not call myself an extremist.
by R. Proffitt Forum moderator / July 17, 2017 12:47 PM PDT
In reply to: Good suggestions.
Collapse -
Weird..
by aladinmonster / July 16, 2017 9:56 PM PDT

Yeah that happened to me last year. That's some sort of infected virus. I recovered my software at that time. But i guess it still works if you download some program that clears up all the virus program

Collapse -
(NT) NT - it's a browser "hijack".
by James Denison / July 17, 2017 2:08 PM PDT
In reply to: Weird..
Collapse -
No evidence of that here
by Steven Haninger / July 17, 2017 3:24 PM PDT

What I see is a redirect from googleads.g.doubleclick.net (long string of random characters)/adurl=http://s.h.o.p.d.a.d.d.y.co.in. Remove the periods between the shopdaddy letters but leave in .co.in and put that url into your browser and you may see what I'm seeing. This happens in Windows, 2 version of Linux, FF, Chrome, and Opera. I will occasionally get this in the Cnet forums only when I loosen adblock plus. I'm working with another PC and another ad blocking extension to see if it will go away.

Collapse -
Not a browser hack
by Steven Haninger / July 17, 2017 3:35 PM PDT

It was a googles/doubleclick redirect with a long string of random characters to a site called "shopdaddy.co.in". I could put the final destination directly into my browser url and get the same message. This happened in Windows, 2 version of Linux, and 3 browsers. I'd get the redirect only in the Cnet forums if I set AB+ to allow non-intrusive ads. Later today when I plugged the shopdaddy url into my browser, I got the something about shop like crazy and no more malware message. I think it may have been something in that long string or the shopdaddy site itself that was hijacked. Strangely enough, this only seemed to happen if I had a stored google cookie but this was too random to do extensive investigating.

Collapse -
Who is your ISP?
by James Denison / July 17, 2017 7:18 PM PDT
In reply to: Not a browser hack

They can do that also from their DNS servers. One reason I moved away from Verizon DNS, although they have an "opt out" DNS server that can be used, but few know of it unless they search it out. At that time, till I figured it out and bypassed their DNS, every 404 page instead was redirected to some ad site by Verizon.

Collapse -
ISP is Earthlink
by Steven Haninger / July 18, 2017 1:42 AM PDT
In reply to: Who is your ISP?

but the ownership has changed over time. They are my ISP but the local cable co name was just changed from TWC to Spectrum which I think is Charter Communications. I've used the Google public DNS a few times when having issues with Earthlink but I'd prefer not to do so. I was able to do a screen capture of the entire string that caused the malware alert but when I was able to produce the same results using just the final site name, I decided it was probably that site that was hacked. It would still show in Googles AdChoices insert into the Cnet forums page but selecting it resulted in some legitimate shopping site of the same name. If this happens again, I can try and plug in the Google public ISP numbers to see if that makes a difference but I doubt it would. I'm surprised no one else reported this, however.

Collapse -
There are other public and free DNS
by James Denison / July 18, 2017 8:45 AM PDT
In reply to: ISP is Earthlink
Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.