Phishing attacks on BoingBoing

There are still tabnapping and phishing making articles unreliable on the site. Were it not for Feedly and the BBS, I would not read the site at all. And this is a shame, because there is no income from my habits.

The ads read my ISP and pretend to be it, or read my OS and pretend to be iOS or MacOS, and use several redirects to make the back button unusable.

I have cleared all data, in case it was using local storage, to no avail.

2 Likes

Ugh is this still possible in iOS and OS X Safari? I know they implemented a few fixes for this in the past. You’re on latest iOS (13)? I know the equivalent of iOS 13 isn’t out for iPads yet because of the new iPad OS, but soon.

I received a false Firefox update that would have installed a trojan if Windows Defender hadn’t blocked it.

It happened a couple of days ago when I clicked a blue link someone posted that didn’t onebox. There were 13 other clicks before me. Sadly, I can’t remember or find the particular thread I was in.

2 Likes

My MacBook Pro is updated, my iPad Air 2 is not.

As another update that might help track down which adserver is allowing scummy ads, I just noticed this same behavior on Zach Weinersmith’s Saturday Morning Breakfast Cereal just now on the Mac. Scare tactic “your Mac is infected” bullshit.

People should make sure that Windows Defender is running. A recent update broke it, followed by a fix update.

3 Likes

Many of these malicious ads are geo-targeted to specific places, making it extremely hard to track them down.

If you can screenshot or catch the redirects in your browser history, forward that info to badad@boingboing.net and we will pass it up the chain.

It should go without saying that we (along with our ad partner) do not approve any of these ads, hate them as much as you do, and want to see them removed.

9 Likes

I know, and I appreciate your help. I will make a screenshot the next time. My reason for raising a stink is to actually help you guys, so I’ll do some more forensic digging.

5 Likes

We appreciate all the help we can get in this regard. Our ad provider has been working overtime to get these bad actors out of the system!

5 Likes

I found some of the links were still in the Safari history (yay for CMD-Y!)

As you can see, they use extremely long domain names, almost as if they are registering random hash strings with fakeout names at the beginning.

http://your-mac-security-analysis.net.fgwnnj.trnjorobwju4kchg3dl7jveraoq2lcreys.xyz/fx/en/index.php?browser=Safari&fred=1&app=Mac%20Speedup%20Pro&hul=rs.eujmj3g.space&cep=3zl3dY7PtqhtHQ4Qe2Iz6YidOBiP29kKwRwUyckBH5UGWCHcbxoiAM-6i7Nr4SJ8zc6p8b2PEBMYwpwi9UkclzxQu5SRe3wZl5rC20-CS0w2vy8Ky0997shD8SPCagmUcehX6h8iPQK2W0nlT8MtgEGC8Dg8cddYylKUZNEJoObw-wTszsnF5CbzInEIJw_I3fi9h74_0eKWdfiKVjlO6DJhHIc7Hd-qHj1hHqGvB2D3X726b0yxXzwu1VfjEHH481q4RSzV4C2wflv6MRuzU2XdQyIRmwEwYXNpmxXQRgTTqV3NGkw7MWT19ru3dmZrfA6LsUKQ5uQwCnR1ey3DMb5k3lt8AO0JIkCuTr3Pmb9wmWRTBLffZTJtlV5LaApX9Yqx4xmgLtFFkTMolLWO5hwI9X-ulXw6C4ZL61svjTr9-eAInms5hwPvpZIoE37j3UWb0efdVGs2B21wA35LBMdF9V-ODYwjp-HxanoItu5efRlUSb_zCXVxKtJDfircWVWklzA98iSRcNnFgF_l3_Kj_5Jheeg7Rcw_izFdnLI&_=BAoAXXzUTAFdfNRRgAGBAcAAIHpXQQEgwlYx48HFGnVq4UwwB3NG50ELl6MF7tWhVxfRwQAg1Lc_wEROGJD1-pLXS7Ty4reUUfoDLJOUA1_8btAf_AHCACCsPX4j-SvXvtmN5X87OlQ2j-hWmeEfhyj0kzSd-ruBbcQAECABCmEFOkMBeNAYH6Q6Ia_FABCj2AvAtZIYiKm_ugIwTO2-wwAgfceJnmNegsiAm1BNjj6FaTD5MWF2Vr_Lg5Gqb_QlpOE#b

Here’s another one, pretending to be a Flash download site. It just uses a spammy domain name, and I found several spammy links to it in my history. About 5 times it tried to drop me here.

http://usine.puopla.site/AwFTqa6WPBLm6J3yqSXG9MYXdLAui4DXD4zC0f-YAXq-BM_sy4Zu7csXbNK3vq9zejeDOj24L0DAnLEjHJT60JfkxwleO2wQeYikSbW9LKIzGQ==?ci=w2KS57RQO4ETIU7P11T045N0&n3er=y6bOuA==&uu=lIaJhrzOpHZ6hn11eH2KfH59gXw=

And here, some suspicious redirects:

https://accounts.youtube.com/accounts/SetSID?ssdc=1&sidt=ALWU2ctLa54dBHpUuFe9ncgDmF%2BujtQYyZpiVzYzi213Gee6msE%2FyHrYpW3FGHOK4tg9It%2BsIy71pa%2F9S87lHD1HqJvUYHdjjgtby2pMxJWczmxGax9BAQr4AX8tAD9PTEjjYG%2BGIjWtcoIKdKPu5rd6DgfQeg5YvZWW5eNgTqrZauIyBbf2JfHJIcld7W920Eh3rljDpa6JOmGmLFSoweUdjQA6%2B4p1QkPnj4%2BsPdVWj11AdUluDEzC5L4Wc3X2utd%2Bs1Kw%2Bz5hiTkr2cDXclkHIMZ4spVz2UMn5NJGPOuxMqnfqJqQFhO7ghJ%2FdrNcjEZb%2Bk0QJrTPoJi90JezmFBULCE2yf7I3cOfFgNW8n3UmyLRMVcHYPU%3D&continue=http%3A%2F%2Fwww.youtube.com%2Fsignin%3Fnext%3Dhttps%253A%252F%252Fwww.youtube.com%252Fpost_login%26action_handle_signin%3Dtrue%26feature%3Dwl_button%26hl%3Den%26app%3Ddesktop%26pli%3D1%26auth%3DSgdssd-XN52OIWkVW5LGgvlZMTQ5qtLLLjQFzDYS4uWxoEvgEvlPfhteCbuJ1HnQm5CjWQ.

My guess? The ads abuse a redirect tool inside YouTube to hide themselves from the ad provider, redirecting until the fraud detection systems are fooled.

One more edit to explain why I am posting here: It’s to help others, in the spirit of treating BoingBoing as a community and not just a blog. Maybe others can find and submit similar.

14 Likes

:fist_right::boom::fist_left:

3 Likes

Today, it happened again. Look at all the redirects in the path.

Editing to add that I have added this dubious URL to my /etc/hosts on my Mac, redirecting it to 127.0.0.1 now. Let’s see if it helps.

1 Like

Can you not use an ad or script blocker while they put a stop to this? Supporting a site is one thing but surely not at the expense of potential malware and phishing attacks.

yep.

7 System Warning pages purporting to be from 3 [random string]xyz domains. I don’t know that boingboing precipitated all of them.

Thank you - We’ll forward these along and get them removed asap.

2 Likes

Our Ad vendor has provided the following URL to report bad ads:

https://freestar.com/bad-ads/

because the ads are often explicitly geofenced so that we cannot see them (or targeted to specific devices), any information anyone can provide may help to catch the ad in question.

Thank you all for your assistance in catching these bad actors!

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.