force redirect to "forex-prices.com" Spyware/Virus?

[Scarecrow]

Specifically: a piece of Javascript that will only execute when visiting legitimate sites sites when True is your ISP. Take True out of the picture and as far as I can tell the problem cannot be replicated.

Also not the case. I got the redirect while browsing on my phone through dtac.

[afx]

Specifically: a piece of Javascript that will only execute when visiting legitimate sites sites when True is your ISP. Take True out of the picture and as far as I can tell the problem cannot be replicated.

Also not the case. I got the redirect while browsing on my phone through dtac.

It is misleading the way I've put it. Perhaps I should have said the problem appears to be specific to Thailand, but cautioned to do so as I don't have an IP address from every ISP in Thailand to test. The two I've been able to try are True and "Servenet Solution Limited Partnership" and now you've confirmed DTAC is the third.

If you remove Thailand from the equation I'll be surprised if still you have a problem, because most of the rest of the world does not. Whether it's Servenet or True or DTAC doesn't really matter if one is an upstream provider of the others or another ISP further up the chain is providing the problem internet gateway or proxy causing this.

Fire up a VPN on your phone outside of Thailand and select to route all traffic over the VPN and then try the same sites, I'll be surprised if you still have the problem.

[anon2]

Use Superantispyware. Install the program,update it,and run a complete scan.... it takes Trojans and wath ever they must trough at you...

[kotsak]

afx, on 26 Sept 2013 - 20:03, said:afx, on 26 Sept 2013 - 20:03, said:

Scarecrow, on 26 Sept 2013 - 19:16, said:Scarecrow, on 26 Sept 2013 - 19:16, said:

afx, on 26 Sept 2013 - 19:02, said:afx, on 26 Sept 2013 - 19:02, said:

Specifically: a piece of Javascript that will only execute when visiting legitimate sites sites when True is your ISP. Take True out of the picture and as far as I can tell the problem cannot be replicated.

Also not the case. I got the redirect while browsing on my phone through dtac.

It is misleading the way I've put it. Perhaps I should have said the problem appears to be specific to Thailand, but cautioned to do so as I don't have an IP address from every ISP in Thailand to test. The two I've been able to try are True and "Servenet Solution Limited Partnership" and now you've confirmed DTAC is the third.

If you remove Thailand from the equation I'll be surprised if still you have a problem, because most of the rest of the world does not. Whether it's Servenet or True or DTAC doesn't really matter if one is an upstream provider of the others or another ISP further up the chain is providing the problem internet gateway or proxy causing this.

Fire up a VPN on your phone outside of Thailand and select to route all traffic over the VPN and then try the same sites, I'll be surprised if you still have the problem.

Actually I had the problem with the parking.ps redirection happening over my VPN as well..

Edited September 26, 2013 by kotsak

[partington]

Use Superantispyware. Install the program,update it,and run a complete scan.... it takes Trojans and wath ever they must trough at you...

Read the thread or don't post. This is useless and these kinds of posts are annoying me almost as much as the redirects!

Can I ask that people who are not having the problem not to clutter this thread with worthless suggestions like this. Please.

[partington]

It is misleading the way I've put it. Perhaps I should have said the problem appears to be specific to Thailand, but cautioned to do so as I don't have an IP address from every ISP in Thailand to test. The two I've been able to try are True and "Servenet Solution Limited Partnership" and now you've confirmed DTAC is the third.

If you remove Thailand from the equation I'll be surprised if still you have a problem, because most of the rest of the world does not. Whether it's Servenet or True or DTAC doesn't really matter if one is an upstream provider of the others or another ISP further up the chain is providing the problem internet gateway or proxy causing this.

Fire up a VPN on your phone outside of Thailand and select to route all traffic over the VPN and then try the same sites, I'll be surprised if you still have the problem.

You seem to understand what this problem is. Is it your view that whatever Thai ISP is inserting this, we can't do anything about it? That is we just have to wait until they sort it out or try a VPN?

When this happened with parking.ps redirects earlier this month it happened for two days and just went away.

I wonder why Thai ISPs seem to be so susceptible to this problem? True customer service didn't have any knowledge of the problem when I called them today.

Edited September 26, 2013 by partington

[Scarecrow]

The filters I'm using so far in Adblock Plus are these:

||chartbeat.com^
||quantserve.com^
||scorecardresearch.com^

Again, I can't say with certainty that these are the source of the problem. scorecardresearch and chartbeat are the most common found. Not every site had both, but each site I've taken a look at had at least one. quantserve is in there just for good measure.

[partington]

The filters I'm using so far in Adblock Plus are these:

||chartbeat.com^
||quantserve.com^
||scorecardresearch.com^

Again, I can't say with certainty that these are the source of the problem. scorecardresearch and chartbeat are the most common found. Not every site had both, but each site I've taken a look at had at least one. quantserve is in there just for good measure.

I'll put these into Adblock myself and see what happens. Thanks!

[afx]

Are people still having a problem as of 23:30 ?

It has either vanished without a trace or a few of the latest steps taken have worked. While not perfect and pretty drastic, it's better than disabling javascript altogether.

Using chrome on Mountain Lion & Windows 7 (latest patches on both) I'm now able to visit bbc.co.uk without getting redirected to forex - prices.... & cheap-car-insur....

Firstly I decided to bin Safari on the MAC and just use Chrome. The cookie specific exceptions do not work as described in Safari. It simply isn't possible to block all cookies in Safari, even when you select this, they still pile in there. There's talk that it is normal and they are per site cookies stating not too track. I don't buy this, in chrome when you block all cookies you don't get any cookies at all appear unless you manually add them as exceptions.

Below steps worked for me in Google Chrome, (your mileage may vary).

1. Delete all cookies

2. Block third party cookies and site data

3. Block sites from setting any data

4. Manually add the sites you use to the exceptions list with "Allow" not forgetting to allow sub domains too [*.]bbc.co.uk [*.]yahoo.com etc.

5. Manually add sites to "Block" (without spaces) [*.] forex - prices .com [*.] cheap-car -insurrance .com and no harm adding the others mentioned on this thread.

To answer a couple of other posters. I too was able to replicate the problem too using a VPN to some countries. But fairly sure this was when I still had those rotten cookies present. It's quite difficult for me to test as the only site I have this problem with is the BBC and firing up a UK VPN doesn't tell the whole story as that is a different site to the international bbc site.

Tethered to my phone with an AIS IP address I also got the problem (prior to taking the steps above to fix), so it's safe to say that the bulk of Thai users (AIS, True, DTAC) were / are afflicted. And yes I believe the blame to be laid at the door of the aforementioned ISP's. Firstly it only appears to execute on peoples most visited sites, (only the ISP's know peoples most visited sites). On the face of it the two redirected sites stink a bit, (blatant pay per click pages, hidden whois details of the domain name owners, registrars in the Seychelles, Google adsense publisher ID's to registrants in Palestine etc. Also spoken to a few buddies in Europe who've seen the same thing with handful of ISP's in Portugal & Greece where users are routed through proxy servers to achieve the same thing.

[Big G]

Im running Mac OSX 10.6.8 and use both Firefox and Chrome. Only ever had the problem in Firefox.

I haven't experienced the problem since Wednesday Sept 25th night after doing the following

1. Clearing the cache, deleting my history and cookies.

2. Disabling Java, I had it enabled for a Dlink Camera

As with previous threads I only experienced this on my most visited sites, news.bbc.co.uk and Telegraph.co.uk, some google results too.

Although the list was starting to grow after a while.

I didn't block any sites. There does seem to be some visit frequency/cookie connection to the behavior IMHO.

[Keesters]

As at 7am this morning I still had the problem although the redirected to page had changed from forex to carrinsurance. I'd tried all the malware, virus scan etc solutions but none worked. Just installed adblock plus as a firefox extension and added the recommended filter, cleared the cache and all now seems OK. Will now install adblock and the filters for IE.

thanks for all the help given by users of this forum.

Edited September 27, 2013 by Keesters

[partington]

"Car insurrance" and "forex-prices" redirects seem to have stopped for me this morning - I had put in the Adblock filters suggested by afx above, and also added filters for the sites that I found in my activity window on Safari just before the last redirect happened.

I was getting redirects consistently from the UK Daily Mail site ( however this is a site I never visit, and only visited once a day or so ago because of a Google search result- so it doesn't necessarily correlate with your most popular sites). These redirects, at least for now, seem to have stopped.

It's hard to know whether the filters are working or this is because whatever poison code was getting in has been eliminated by the ISP.

I agree that these are scam sites trying to get money for clicks by hijacking people's browsing. I suppose we will have to get used to this happening every few weeks or so now....

[elfpattaya]

Firefox has an Add On called "HTTPS Everywhere". This stops all these redirects. Go to https://www.eff.org/https-everywhere

[dansan]

Been happening here for a couple of days and is still happening.

Someone is making some pretty penny with all that redirection, cloaking and the accompanying CPA offers.

If you ask me it's kinda clever in an evil blackhat kind of way. Damned annoying though.

And please heed @Partington advice and don't start ripping your systems apart or messing with your registry.

Edited September 27, 2013 by dansan

[Scarecrow]

After a full day of using those filters I made, I've seen nary a glimpse of the redirects, save for when I've used a browser that didn't have Adblock.

If you're using the filters and come across a site that is still redirecting you, please let me know which site.

[afx]

Im running Mac OSX 10.6.8 and use both Firefox and Chrome. Only ever had the problem in Firefox.

I haven't experienced the problem since Wednesday Sept 25th night after doing the following

1. Clearing the cache, deleting my history and cookies.

2. Disabling Java, I had it enabled for a Dlink Camera

As with previous threads I only experienced this on my most visited sites, news.bbc.co.uk and Telegraph.co.uk, some google results too.

Although the list was starting to grow after a while.

I didn't block any sites. There does seem to be some visit frequency/cookie connection to the behavior IMHO.

Agreed, it is cookie related.

Disabling the Java plugin is a good idea and will only effect a small number of sites of a typical user. Disabling Javascript however busts most internet sites.

Anyone still having the problem must have these rogue cookies present.

To see what's going on with problem machines (using Google Chrome) go to a non affected page and then select View > Developer > Java console and the screen will split showing what is executing in what order. Now go to your problem sites and watch what's going on and note the rogue URL's and make sure you never have cookies of these URL's by blocking them; either by having a cookie whitelist (blocking all cookies and manually adding the sites you use). Or allow all cookies and disallow the scumbag URL's.

[seasia]

I`ve only just come across this thread, same thing was happening to me, redirect to forex.com and then the cheaper car insurance site.

It only happened when I tried to access Bloomberg and barchart, the latter is US based also I think.

Drove me nuts,seems to be all OK now, just tried the previously affected sites.

No understanding of these things, wish I had read here earlier.

[Maestro]

Profane post deleted.

[OxfordWill]

I assumed this was fallout from the SEA DNS cache poisoning attacks at the start of september. Nice to see some investigation here top google result. =)

[kennypowers]

Wow, so am not the only one! I am sure I got this redirect virus through my True connection but they won't admit responsibility. I got the Trojan dropped too, which I only realized after I read this: http://www.thethailandlife.com/thai-internet-forex-redirect-virus I think I fixed it but have a friend coming to double check tomorrow. I get so paranoid about surfing the web here, especially in cafes that require no password logon.

[Big G]

Kennypowers - sure that link u sent was valid?? - I saw suggestions on it to download MacDefender or MacKeeper, which is apparently malware also.

You might have also installed some more malware now too?

Anyone else care to add their two cents. Just like other info on the internet, its sometimes tricky to decipher what's legit.

Thx

[kennypowers]

Kennypowers - sure that link u sent was valid?? - I saw suggestions on it to download MacDefender or MacKeeper, which is apparently malware also.

You might have also installed some more malware now too?

Anyone else care to add their two cents. Just like other info on the internet, its sometimes tricky to decipher what's legit.

Thx

@Big G, the link is bonified. MacKeeper/Defender is legit software, I have that on my Mac. But you're right, you have to make sure you only install well-known malware/virus checkers or you can end up with more of the same!

[Big G]

according to alot of info on the apple forums, MacKeeper is not a good idea. Just passing along the info.....

https://discussions.apple.com/docs/DOC-3036

There are other links in the apple forums on the RHS of the page with more info...

Appreciate you sharing...

[Scarecrow]

Wow, so am not the only one! I am sure I got this redirect virus through my True connection but they won't admit responsibility. I got the Trojan dropped too, which I only realized after I read this: http://www.thethailandlife.com/thai-internet-forex-redirect-virus I think I fixed it but have a friend coming to double check tomorrow. I get so paranoid about surfing the web here, especially in cafes that require no password logon.

This doesn't appear to be wholly accurate based on what I've seen so far. Like I said before, I'm no expert, this is just what I've observed.

It doesn't appear to be a virus. My guess is compromised 3rd party scripts on some of the sites we visit.

It is not limited to just True, other providers in Thailand are similarly affected. The use of a VPN that shows a location other than Thailand appears to subvert the script. For whatever reason this looks like it's targeted at Thailand.

Blocking the scripts (obviously) alleviates the problem. While good, I don't believe HTTPS stops the script from running.

The claim that the sites (such as forex) install a trojan is news to me. It isn't outside the realm of possibility, I just haven't seen it.

It's too bad there isn't much real information about this, just what us amateur sleuths have been able to cobble together.

[kennypowers]

Wow, so am not the only one! I am sure I got this redirect virus through my True connection but they won't admit responsibility. I got the Trojan dropped too, which I only realized after I read this: http://www.thethailandlife.com/thai-internet-forex-redirect-virus I think I fixed it but have a friend coming to double check tomorrow. I get so paranoid about surfing the web here, especially in cafes that require no password logon.

This doesn't appear to be wholly accurate based on what I've seen so far. Like I said before, I'm no expert, this is just what I've observed.

It doesn't appear to be a virus. My guess is compromised 3rd party scripts on some of the sites we visit.

It is not limited to just True, other providers in Thailand are similarly affected. The use of a VPN that shows a location other than Thailand appears to subvert the script. For whatever reason this looks like it's targeted at Thailand.

Blocking the scripts (obviously) alleviates the problem. While good, I don't believe HTTPS stops the script from running.

The claim that the sites (such as forex) install a trojan is news to me. It isn't outside the realm of possibility, I just haven't seen it.

It's too bad there isn't much real information about this, just what us amateur sleuths have been able to cobble together.

You're right, it's not a virus it's a javascript that gets dropped when you visit a site and redirects you, although it's being referred to as a virus as these things normally are. It can, however, drop a trojan horse on you if you run a PC. Talking with a computer whiz friend today he said the fact that the Javascript can be executed means the hacker(s) could exploit the system in a number of ways, which they are probably working on. He said this is probably happening at the ISP level. Apparently True have been unable to solve this security breach for near on a month, and it started with the parking.ps redirect that others on Thaivisa reported a few weeks back. All I know is it makes me feel pretty uncomfortable about my passwords etc.

[kennypowers]

according to alot of info on the apple forums, MacKeeper is not a good idea. Just passing along the info.....

https://discussions.apple.com/docs/DOC-3036

There are other links in the apple forums on the RHS of the page with more info...

Appreciate you sharing...

Thanks for the heads up on that. I am going to do some reading on this.

[brfsa2]

There are some updates on this here: http://jacob-fish.tumblr.com/

looks like True Proxy cache server were hacked and serving malicious JS files with injected code.