Browser Jacked

[Anime Rick]

Long time Lurker here, I'm not sure where else to post this notice, so....

Today, at 3:23pm, I was on the archive page http://wapsisquare.com/comic/times-up/ and clicked the next button. Instead of being taken to the next page, I was redirected to a URL listed as www DOT flashplayerdown DOT com, where a Malicious Site warning popped up, telling me that this site was known for distributing malware, as reported by AVG (which I do not use.) I clicked the "go back safely" option and was returned to the Times-Up page. Upon clicking the next button a second time, I was taken to the proper page on wapsi square (http://wapsisquare.com/comic/help-or-break/)

It seems as though my browser (Opera) was jacked when I first hit the next button and redirected to a malware page, but was protected by an AVG alert before anything bad happened.

The exact malware URL is:
http COLON //www DOT flashplayerdown DOT com/?cch=cd&dc=11

I've been reading this comic off and on since the day Stinky dropped U296 on the beach, and this is the first time I've encountered any threats from Wapsi Square. I'm not complaining or worried, I just figured someone would like to know about it. Now I'm off to run some Anti-Virus checks, just to be safe...

[Dave]

Long time Lurker here, I'm not sure where else to post this notice, so....

Today, at 3:23pm, I was on the archive page http://wapsisquare.com/comic/times-up/ and clicked the next button. Instead of being taken to the next page, I was redirected to a URL listed as www DOT flashplayerdown DOT com, where a Malicious Site warning popped up, telling me that this site was known for distributing malware, as reported by AVG (which I do not use.) I clicked the "go back safely" option and was returned to the Times-Up page. Upon clicking the next button a second time, I was taken to the proper page on wapsi square (http://wapsisquare.com/comic/help-or-break/)

It seems as though my browser (Opera) was jacked when I first hit the next button and redirected to a malware page, but was protected by an AVG alert before anything bad happened.

The exact malware URL is:
http COLON //www DOT flashplayerdown DOT com/?cch=cd&dc=11

I've been reading this comic off and on since the day Stinky dropped U296 on the beach, and this is the first time I've encountered any threats from Wapsi Square. I'm not complaining or worried, I just figured someone would like to know about it. Now I'm off to run some Anti-Virus checks, just to be safe...

This wouldn't be the first time that malicious content was served out by one of the advertising networks that Paul uses to fund the site.

For what it's worth, I just surfed to that same archive page, and looked at the page source being served out by wapsisquare.com. I don't see any mention of the malware site flashplayerdown dot com that you mention.

It's possible that you somehow got a Nasty from a referral image site, such as Project Wonderful - if I recall correctly their servers have occasionally been compromised during the past few years.

What you report, sounds a bit like a "clear click" hijacking - malicious content which places a large, transparent image on top of other stuff on the page, with an OnClick() method or URL associated with it. When you try to click on the button you want, the click actually ends up being passed to the "clear" image, which then directs you to Someplace You Really Do Not Want To Go.

Thanks for the report... there are enough people surfing the sites (comic and forum) regularly so that any further problems will probably be visible fairly quickly.

[Anime Rick]

And it just happened again (6:50pm... uh, UTC-8 Pacific), this time through a link in this very forum.
I was reading the discussion on viewtopic.php?f=6&t=1107 and opened a link to http://wapsisquare.com/comic/the-directory/ (the 17th post) and for a split second, I saw the proper page before my browser switched to that same flashplayerdown page from before, again with the warning from Opera/AVG. I took a screenshot this time, which I'll try to upload.
I think this means that either something on Wapsi Square or it's ads is redirecting me, or my browser has a virus. I don't think its my browser, as this redirect thing has only happened to me twice now, both times today, and ONLY when following a link to a Wapsi Square archive page.

(Also, the second time I clicked on that link in the forum discussion, it went to the correct page like before, but didn't redirect, so whatever's doing the redirect, its not consistently there.)

Hmmm, I uploaded the file, but it disappeared.... something about a board image quota.

[lake_wrangler]

Until someone among the admins changes the upload quota for the board, the only way to display images in the forum is to upload it to a photo hosting site (like Photobucket, ImageShack, etc.), and post a link here. You may leave it as a link, or you may use the Img tag to display the image directly in the thread.

[Dave]

Hmmm. All of the Project Wonderful ad-insertion spaces on the main site are coming up blank on my browser at the moment.

This makes me suspect that something's amiss at PW, and that somebody may have hit the explosive-bolts "stop serving content!" button and called in the brute squad to clean out a malware infestation.

Maybe. Or, something else is going on.

EDIT: A "safe browsing" check at Google for "projectwonderful.com" says:

Of the 132 pages we tested on the site over the past 90 days, 8 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2014-10-31, and the last time suspicious content was found on this site was on 2014-10-30.

Malicious software is hosted on 2 domain(s), including megagames.cf/, shelves.ga/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including wrensamerica.com/, jameslsteele.com/.

[Typeminer]

I have run into a similar thing on other comic sites recently. Got one for Flash player on, I think, Chuckle-A-Duck a couple of days ago. I noticed that the country tag on the url was .be (Belgium), and the hijack page didn't mention Adobe anywhere.

Earlier this morning, I ran into a screen takeover for Java plugin, very similar to the one you describe, on LICD. It came up when I hit the current comic button. I reloaded the LICD page and tried again several times, and got two different urls for the redirect. One was javaplugindown dot com; the other was javapluginupdate dot com. I believe legitimate java pages are java dot com slash whatever.

A little later, I went back to LICD, and the comic loaded without the hijack. Makes me suspect that it rotated off or was stopped by the LICD admins.

[Dave]

There have also been reports, since early thus year, of the "flash player install" malware being a payload of the "Moon" worm.

Ths is a rather nasty worm. It exploits a vulnerability in several brands of home/small-office Internet router (Linksys, Belkin, D-Link have been mentioned) va the routers' "remote administration" feature. The router's firmware is altered, and it occasionally intercepts a Web-surfing request and responds with an HTTP redirect to a site hosting the malware (e.g. the bogus "Flash update" installer). The router then begins scanning the Internet, looking for other vulnerable routers to attack in the same fashion. It's a "man in the middle" attacker.

The fix for the compromised router would (I believe) require downloading a fresh copy of the latest router firmware version from the manufacturer's support web site (or get DD-Wrt, OpenWRT, or Tomato if supported on your model) through a trustworthy Internet connection. Disconnect the Internet WAN cable temporarily. Reset the router to factory defaults, flash the firmware update, reset to factory defaults again, then reset any parameters you need. Turn off the remote administration feature (and WiFi Protected Setup) immediately, and set strong adminstration and WiFi passwords).

On all PCs on the network, clear all browsing history and caches, and run a good maware/virus scan.

Then, reconnect your WAN cable.

[Anime Rick]

Happened again when I opened my Opera browser this morning.
Its set to resume last session when I open it, so it opened up with several Wapsi Square forum pages, Wapsi Square comic (http://wapsisquare.com/comic/judged-by-history/) and a page on Star Citizen. As the pages loaded, I noticed that the Wapsi Square page (which was simply refreshing the page I had open yesterday) had switched to the malicious page warning again... this time for http COLON //www DOT flashplayerupgrades DOT com/?cch=cq&dc=22 , a different page from the flashplayerdown from before. I'll say again that this only happens on Wapsi Square.... but I'll acknowledge Typeminer's point about multiple comics, as I haven't visited other comics recently (archive binging here.) Maybe I'll check up on some other comics and see if they get jacked, too. I currently think its a malicious ad on account of the randomness of it. Hope it gets fixed soon...

PS My router has admin access by WAN disabled by default, and its still disabled when I checked, so that's not likely.

[jwhouk]

Do a complete virus scan of your computer, and try Malware Bytes or some other program that can find worms/rootkits.

[Atomic]

Firefox with add-ons NoScript and AdBlock. Not sure if Opera or Chrome has versions for them. Good Luck!

[lake_wrangler]

Firefox with add-ons NoScript and AdBlock. Not sure if Opera or Chrome has versions for them. Good Luck!

Chrome has AdBlock Plus, and an extension called ScriptBlock.

[Warrl]

Firefox with add-ons NoScript and AdBlock. Not sure if Opera or Chrome has versions for them. Good Luck!

Chrome has AdBlock Plus, and an extension called ScriptBlock.

Or, the one I prefer, ScriptSafe.

The problem I'm having right now is finding a version of Flash that works with 64-bit Iron. With the current versions of both, Flash crashes on any attempt to use it.

[Atomic]

Running Win 7 (64) with current Adobe Reader, Flash, and Air with no problems. Of note, Flash says ActiveX is Not installed. Perhaps an issue? The Flash help page mentions Chrome and Private Browsing here. Might be relevant to you.

Further, Highly Recommend CCleaner as a regular housekeeping tool. A bit ago, I was Trojaned with a bad Codec installation -- the Uninstall was eyewash, and Avast AV kept quarantining it, but it kept coming back. So went to Admin mode, Ran CCleaner to tidy up, then uninstall the Codec in the Tools menu. Blocked again, so did the Restart, F5 boot to Safe Mode with Windows, then ran CC again to uninstall (successful) and Tools, Startup - and cleared the bad Codec from the Tasks and Context menus where the Trojan reinstall had been hiding. Then some Registry cleanup and it's gone.

Some similar process may help you with your bug. Consider uninstalling Java completely, wiping, and get a fresh install from the source: Java.com

Good luck!

[lake_wrangler]

Firefox with add-ons NoScript and AdBlock. Not sure if Opera or Chrome has versions for them. Good Luck!

Chrome has AdBlock Plus, and an extension called ScriptBlock.

Or, the one I prefer, ScriptSafe.

I chose to use ScriptBlock after reading reviews on ScriptSafe which were saying that ScriptBlock was better. I wouldn't know, having never used either one before installing ScriptSafe.

[Anime Rick]

Well, I've been on Wapsi Square every day for a week, and haven't had any issues since the latest attack on the first. It seems like whatever was hijacking my browser was taken care of. I consider this subject closed... even though we never found what it was (still think it was an ad, though.)

As for Adblock and stuff, I don't care to remove the ads as I don't have steady income, which means even the Patreon thing is beyond me, so leaving the ads running whenever I access the site (especially on an Archive Binge) is pretty much the only way I can support the artist.

[Warrl]

I chose to use ScriptBlock after reading reviews on ScriptSafe which were saying that ScriptBlock was better. I wouldn't know, having never used either one before installing ScriptSafe.

Tastes and priorities differ. Since I recently got a new computer and actually hadn't reinstalled ScriptSafe yet, after reading your comment I went and read the reviews again. The people who actually detailed why they preferred ScriptBlock over ScriptSafe were the ones who convinced me that Scriptsafe is still the better choice for me.