Scarecrow

Wow, so am not the only one! I am sure I got this redirect virus through my True connection but they won't admit responsibility. I got the Trojan dropped too, which I only realized after I read this: http://www.thethailandlife.com/thai-internet-forex-redirect-virus I think I fixed it but have a friend coming to double check tomorrow. I get so paranoid about surfing the web here, especially in cafes that require no password logon.

This doesn't appear to be wholly accurate based on what I've seen so far. Like I said before, I'm no expert, this is just what I've observed.

It doesn't appear to be a virus. My guess is compromised 3rd party scripts on some of the sites we visit.

It is not limited to just True, other providers in Thailand are similarly affected. The use of a VPN that shows a location other than Thailand appears to subvert the script. For whatever reason this looks like it's targeted at Thailand.

Blocking the scripts (obviously) alleviates the problem. While good, I don't believe HTTPS stops the script from running.

The claim that the sites (such as forex) install a trojan is news to me. It isn't outside the realm of possibility, I just haven't seen it.

It's too bad there isn't much real information about this, just what us amateur sleuths have been able to cobble together.

Here's what I posted over in the forex thread.

I added these custom filters to Adblock Plus. Other ad blocking extensions might use a different syntax.

||chartbeat.com^
||quantserve.com^
||scorecardresearch.com^

Those seemed to do the trick for me.

It's possible that Ghostery, a privacy oriented extension, might also work since it blocks some of these same scripts by default. I haven't tried this.

As for HTTPS Everywhere, it simply attempts to make your browser connect to sites via https (encrypted) instead of http (unencrypted). I'm not sure that'll help with this particular problem, but it's worthwhile to have anyway.

Lastly, to reiterate some of what's been said before, these recent redirects are most likely the result of bad third-party scripts on the some of the sites you visit. This is why something as simple as an ad blocker can work; you can tell it to stop those scripts from loading. I hope this has helped.

After a full day of using those filters I made, I've seen nary a glimpse of the redirects, save for when I've used a browser that didn't have Adblock.

If you're using the filters and come across a site that is still redirecting you, please let me know which site.

The filters I'm using so far in Adblock Plus are these:

||chartbeat.com^
||quantserve.com^
||scorecardresearch.com^

Specifically: a piece of Javascript that will only execute when visiting legitimate sites sites when True is your ISP. Take True out of the picture and as far as I can tell the problem cannot be replicated.

Also not the case. I got the redirect while browsing on my phone through dtac.

Any solution that proposes cleaning your computer is mostly in vain. At best it'll delete a cached version of the poison script. That might provide temporary relief until you encounter the bad javascript again.

I'm far from an expert, but from looking at a few sites that both redirect me I've come to the conclusion that the following javascript could be the culprit.

http://b.scorecardresearch.com/beacon.js

I added the following filter to Adblock Plus (other ad blocking extensions might use a different syntax) and haven't had seen a redirect since. It could just be a fluke, but it is simpler and less involved than anything else proposed.

||scorecardresearch.com^

I'd love for people to post some more sites they've visited so I can do a little more amateur sleuthing to confirm or bust my results. Or send it via PM to avoid cluttering up this thread.

Is a java hack im pretty certain on that. Narrows it down when a Mac has been involved as windows garbage could be one of 200 things Remove java do other fixes that have worked reboot fresh java install should fix it. In theory that is hahahah

This isn't the case since the redirect also happens to iOS devices which do not run java. Like mentioned above, it's poisoned javascript that is injected somewhere down the line. It is, for the most part, out of our hands when it comes to fixing this problem. You can turn off javascript in your browser, but that comes with its own drawbacks and isn't a real solution.