Jump to content
You are not logged in ▶️ Click to sign-up or login ×

Possible Hack

RedCardinal

By RedCardinal
in IT and Computers

 Share

Recommended Posts

RedCardinal Advanced Member

RedCardinal

Posted
Posted (edited)

Just came to TV page via Google and got redirected to

deleted link to bad page

Search was http://www.google.co...h hilton phuket

Landing page http://www.thaivisa....s-lunch-dinner/

After going back to Google and trying same link got to TV page. Couldn't replicate till cleared cookies. Tried again in clean browser and got redirected again.

Could be an ad network on page?

Now seeing db errors on same tv page.

Sent from my Nexus 7 using Thaivisa Connect App

Edited by george
deleted link to bad page
Link to comment
Share on other sites
  • Replies 78
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

draftvader Platinum Member

draftvader

Posted
Posted (edited)

Me neither. Mind you the OP is using google.com which, locally, will use google.co.th This will allow you to get search results from Thai websites. Hate to tell you this, but this will be more dangerous to your surfing habits. You can use another country's google search engine to clean up your results.

I use google.co.uk (I'm English).

To use google.com (i.e. USA) use:

google.com/ncr

--EDIT--

Intentionally not linked so you can see how to use it in your address bar.

Edited by draftvader
Link to comment
Share on other sites
andrew Advanced Member

andrew

Posted
Posted

Please can everybody make sure they have the appropriate security software before clicking on the 1st link. This could cause a problem for your computer.

What on earth are you talking about? You really understand nothing at all.

The first link is to GOOGLE.

Please, stop posting trash. There's a danger that people (as uneducated as yourself) might take you seriously.

Let me stress this point: GOOGLE (whether dot com or dot co dot th) will not "be more dangerous to your surfing habits".

Link to comment
Share on other sites
nokbird Senior Member

nokbird

Posted
Posted (edited)

I had a similar issue this morning coming in from Google using the search term : Thai Visa forum

The only time I have ever had that.

When I clicked on http://www.thaivisa.com/forum in Google it took me to a website that appear to be in Chinese and red color and appeared to have many ads on it. (I do not see it in the history of Chrome)

On my second attempt it took me to //deleted malware link// (I just dragged it out of the history)

3rd attempt I got the TV forum page about 8am BKK time this morning.

Using chrome, Win7 via 3BB.

I have www.google.com/ncr set to my home page in Chrome that diverts to https://www.google.com/ for the search.

Hope that helps someone !

Edited by Tywais
Removed link due to malware
Link to comment
Share on other sites
whybother Star Member

whybother

Posted
Posted

Please can everybody make sure they have the appropriate security software before clicking on the 1st link. This could cause a problem for your computer.

What on earth are you talking about? You really understand nothing at all.

The first link is to GOOGLE.

Please, stop posting trash. There's a danger that people (as uneducated as yourself) might take you seriously.

Let me stress this point: GOOGLE (whether dot com or dot co dot th) will not "be more dangerous to your surfing habits".

I think he's talking about the link that was deleted:

Edited by george, 52 minutes ago.

deleted link to bad page

Link to comment
Share on other sites
whybother Star Member

whybother

Posted
Posted (edited)

I had a similar issue this morning coming in from Google using the search term : Thai Visa forum

The only time I have ever had that.

When I clicked on http://www.thaivisa.com/forum in Google it took me to a website that appear to be in Chinese and red color and appeared to have many ads on it. (I do not see it in the history of Chrome)

On my second attempt it took me to //deleted bad link// just dragged it out of the history)

3rd attempt I got the TV forum page about 8am BKK time this morning.

Using chrome, Win7 via 3BB.

I have www.google.com/ncr set to my home page in Chrome that diverts to https://www.google.com/ for the search.

Hope that helps someone !

I just did the same search and the first attempt went to the url4short page.

Edited by Tywais
deleted malware link
Link to comment
Share on other sites
NomadJoe Platinum Member

NomadJoe

Posted
Posted (edited)

I had a similar issue this morning coming in from Google using the search term : Thai Visa forum

The only time I have ever had that.

When I clicked on http://www.thaivisa.com/forum in Google it took me to a website that appear to be in Chinese and red color and appeared to have many ads on it. (I do not see it in the history of Chrome)

On my second attempt it took me to //deleted// just dragged it out of the history)

3rd attempt I got the TV forum page about 8am BKK time this morning.

Using chrome, Win7 via 3BB.

I have www.google.com/ncr set to my home page in Chrome that diverts to https://www.google.com/ for the search.

Hope that helps someone !

I just did the same search and the first attempt went to the url4short page.

Yep, me too. Searching "Thai Visa Forum" in Chrome search box I get these results:

Capture3.jpg

Then I click on the top result and get sent here:

Capture2.jpg

It only happened on the first attempt. Each subsequent click was successful.

Using True Internet.

Edited by Tywais
deleted malware link
Link to comment
Share on other sites
NomadJoe Platinum Member

NomadJoe

Posted
Posted

Please can everybody make sure they have the appropriate security software before clicking on the 1st link. This could cause a problem for your computer.

What on earth are you talking about? You really understand nothing at all.

The first link is to GOOGLE.

Please, stop posting trash. There's a danger that people (as uneducated as yourself) might take you seriously.

Let me stress this point: GOOGLE (whether dot com or dot co dot th) will not "be more dangerous to your surfing habits".

I think he's talking about the link that was deleted:

Edited by george, 52 minutes ago.

deleted link to bad page

Andrew, it was pretty clear to the average reader that he was talking about the deleted url4short link. Good advise daftvader.

  • Like 2
Link to comment
Share on other sites
nokbird Senior Member

nokbird

Posted
Posted (edited)

I just did a Google search on Thai 3G coverage maps, saw a TV thread in the Google SERPS and tried it, I was sent to //deleted malware link// at 7:03PM Sunday BKK time.

Win7 - Chrome - 3BB

Edited by Tywais
deleted malware link
Link to comment
Share on other sites
urandom Advanced Member

urandom

Posted
Posted

Please can everybody make sure they have the appropriate security software before clicking on the 1st link. This could cause a problem for your computer.

What on earth are you talking about? You really understand nothing at all.

The first link is to GOOGLE.

Please, stop posting trash. There's a danger that people (as uneducated as yourself) might take you seriously.

Let me stress this point: GOOGLE (whether dot com or dot co dot th) will not "be more dangerous to your surfing habits".

What on earth are you talking about? You really understand nothing at all.

The first link has been deleted.

Please, stop posting trash. There's a danger that people (as uneducated as yourself) might take you seriously

  • Like 1
Link to comment
Share on other sites
draftvader Platinum Member

draftvader

Posted
Posted

Please can everybody make sure they have the appropriate security software before clicking on the 1st link. This could cause a problem for your computer.

What on earth are you talking about? You really understand nothing at all.

The first link is to GOOGLE.

Please, stop posting trash. There's a danger that people (as uneducated as yourself) might take you seriously.

Let me stress this point: GOOGLE (whether dot com or dot co dot th) will not "be more dangerous to your surfing habits".

The indexing for google.co.th contains a lot of pages that point to sites hosted in Thailand and would favour those over more relevant information as the competitive nature of SEO hasn't really taken hold here for the larger part of the market, particularly for English terms. You would be amazed how many people will click on a search engine result in google without checking the domain they are visiting (is that thaivisa.com or thaivisa.co.th?). The original link had a script injection and this is not uncommon in some of the less competitive Thai sites. Plenty of people using the bootlegged templates that they buy at Panthip. Bootlegged software, scripts and code is one of the prime ways to inject code to allow further software installations to hijack your computer.

For your educated comment. I program php, html5, css3 and twitter bootstrap over MySQL databases to serve large content rich sites. My clients depend on my advice to ensure their sites are prominent for their search terms and their potential customers are safe. I also host my clients' sites too and have to ensure that they are safe from script kiddies putting script injection routines into their site to try and damage their image.

Thank you to everybody who stood up and supported me, that was most welcome.

  • Like 1
Link to comment
Share on other sites
Jayman Platinum Member

Jayman

Posted
Posted

I had a similar issue this morning coming in from Google using the search term : Thai Visa forum

The only time I have ever had that.

When I clicked on http://www.thaivisa.com/forum in Google it took me to a website that appear to be in Chinese and red color and appeared to have many ads on it. (I do not see it in the history of Chrome)

On my second attempt it took me to //deleted// just dragged it out of the history)

3rd attempt I got the TV forum page about 8am BKK time this morning.

Using chrome, Win7 via 3BB.

I have www.google.com/ncr set to my home page in Chrome that diverts to https://www.google.com/ for the search.

Hope that helps someone !

I just did the same search and the first attempt went to the url4short page.

Yep, me too. Searching "Thai Visa Forum" in Chrome search box I get these results:

Capture3.jpg

Then I click on the top result and get sent here:

Capture2.jpg

It only happened on the first attempt. Each subsequent click was successful.

Using True Internet.

I reproduced this using chrome on True cable and google.com (not co.th).

It took me to the url shortener site and I then had the page scanned.. the results of which are here

http://app.webinspector.com/public/reports/8003234

Link to comment
Share on other sites
fasteddie Gold Member

fasteddie

Posted
Posted

I had a similar issue this morning coming in from Google using the search term : Thai Visa forum

The only time I have ever had that.

When I clicked on http://www.thaivisa.com/forum in Google it took me to a website that appear to be in Chinese and red color and appeared to have many ads on it. (I do not see it in the history of Chrome)

On my second attempt it took me to //deleted// just dragged it out of the history)

3rd attempt I got the TV forum page about 8am BKK time this morning.

Using chrome, Win7 via 3BB.

I have www.google.com/ncr set to my home page in Chrome that diverts to https://www.google.com/ for the search.

Hope that helps someone !

I just did the same search and the first attempt went to the url4short page.

Yep, me too. Searching "Thai Visa Forum" in Chrome search box I get these results:

Capture3.jpg

Then I click on the top result and get sent here:

Capture2.jpg

It only happened on the first attempt. Each subsequent click was successful.

Using True Internet.

I reproduced this using chrome on True cable and google.com (not co.th).

It took me to the url shortener site and I then had the page scanned.. the results of which are here

http://app.webinspec...reports/8003234

I've got that url page a few times when clicking links on tv, second attempts are ok. I'm on firefox and in the uk right now.

Link to comment
Share on other sites
draftvader Platinum Member

draftvader

Posted
Posted (edited)

I have just replicated the error. Once you have come through that link once the error goes away. I am now performing a DEEP scan with Malwarebytes and have made sure my AV is up to date. I don't think that I have an infection, but need to elimate any potential local issue first. The link indexed by google for the main forum page is

http://www.thaivisa....E668ctPOWEQt3Sw

Avast! provides the following alert on that initial visit, but the information is far from informative.

http://www.avast.com/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0
&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ww%2Fvirus-alert-default&p_vir=HTML:RedirDL-inf%20[Trj]&p_prc=
C:\Applications\Mozilla%20Firefox\firefox.exe&p_obj=
http://www.thaivisa.com/forum/index.php?ipbv=fb1e456bf3ebbbe8ca294c236beceaf2%26g=js|
{gzip}&p_var=.%2Ffa%2Fen-ww%2Fvirus-alert-default&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24
&p_lst=0&p_lex=115&p_lng=en&p_lid=en-ww&p_elm=7&p_vbd=1474

(intentionally NOT a hyperlink and broken up to stop the page getting VERY wide)

I have scanned the link here

http://zulu.zscaler....46a9-1356315583

and here

http://www.avgthreat...in/thaivisa.com

Both view this site as safe.

So, we are led to believe that this issue happens somewhere between google sending us to the site and data starting to arrive at our computer. Once your computer acknowledges the issue it knows to ignore it, hence the lack of repeating. This makes me think that it isn't a glitch on one of the nodes.

I have just done a tracert that sees a clean route between my computer and www.thaivisa/forum at 175.41.131.133

post-68756-0-62213700-1356317696_thumb.j

As you can see this starts to time-out at the amazonaws server. This is not surprising as they really don't want me pinging their server unannounced. Apart from that I don't see a single node that I wouldn't expect...in Thailand. I have no idea about the Singapore nodes as I don't tracert them every day like I do the connections to the UK.

So, it could be something that has changed on one of the many scripts used by ThaiVisa in serving the site to us (i.e. wibiya, whos.among.us, googleapis, etc) and our security software is just a little behind (happens quite regularly). This could simply be a cookie being served by one of these tools producing this issue.

Right now this is all I have got. I don't have the time, the spare environment or access to the admin section of ThaiVisa to risk testing the link unprotected to see where the redirect wants to take us. Remember this could be as simple as a redirect within the thaivisa website setup, a fairly standard procedure within website management. Either way, with Avast! in place, I get to the site safely.

I have to go out now as Christmas calls and the family need to go shopping (one of the moments when I am eternally grateful for living in Thailand....last minute Christmas shopping...it really is all in the mind here!). At the moment my Malwarebytes is coming back clean, so I think that ThaiVisa might want to check this out. Remember to clear your browser first (btw I only checked this using FF) to replicate the issue as once you have followed that link once it doesn't reproduce.

Edited by draftvader
Link to comment
Share on other sites
Jayman Platinum Member

Jayman

Posted
Posted

I have scanned all these redirect links and find no actual malware.

If you are finding actual malware on these sites.. report them to google http://www.google.com/safebrowsing/report_phish/

obviously, you are getting to these pages via links from google. They have the power to remove them ASAP. I have reported all the links I have been redirected to even if no malware was found because there is obviously some sort of redir hijack going on here than needs to be stopped.

Link to comment
Share on other sites
RedCardinal Advanced Member

RedCardinal

Posted
  • Author
Posted (edited)

Just to follow up, I came across something similar before and it turned out to be the ISP. After telling some of the Google security folk I believe they had a few choice words with the ISP in question.

But being honest this looks like something on your side. What proxies/cdns do you use if any? Do you use any ad networks apart from tier 1 providers?

Edit: just remembered that it was True who were caught injecting their own ads into YouTube pages. It may well be that True are again doing this on TV and using lower grade ad networks. Wouldn't surprise me in the least.

Sent from my Nexus 7 using Thaivisa Connect App

Edited by RedCardinal
Link to comment
Share on other sites
Tywais Star Member

Tywais

Posted
Posted

I have scanned all these redirect links and find no actual malware.

I understand that it may be a false positive but I prefer not taking chances in order to protect members so will remove any URL shortners or any links that do get an alert. I left one above in code tags for those who wish to evaluate it further.

Now I just activated my US VPN connection in the US and connected to google thailand, searched for Thaivisa and I also get the warning when clicking on the search links. Connected to Google.com and not an issue.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.





×
×
  • Create New...