RedCafe Malicious Advert?

[Niall]

It was in the US Airways thread, https://www.redcafe.net/threads/us-airlines-tweet.388712/.

Sorry just noticed you mentioned this in your OP.

There are no ads in the general forum, so it's not come from some rogue code in an ad. I don't see anything specific in any of the posts in that thread that might cause it either. Possibly something on your machine? Have you done a full virus scan / malware clean up etc?

 

[Zarlak]

@Niall I haven't, but it replicated 3 times by refreshing that page. I'll do a test when I get home tonight.

 

[Niall]

@Niall I haven't, but it replicated 3 times by refreshing that page. I'll do a test when I get home tonight.

What operating system and browser are you using?

 

[Zarlak]

What operating system and browser are you using?

Windows 7, Chrome. I haven't had it on any other website, it pops up pretending to be Adobe Flash player but you can see player is spelt palyer, then auto downloads a setup.exe.

It might well be a virus so I'll check when I'm back from work, I just thought it strange that it only appeared in that thread.

 

[duffer]

I got exactly the same thing as Zarlak a few days ago. I am using Windows 7 and Firefox. Can't remember the thread but if it happens again i'll take a screenshot.

 

[Niall]

Changes have been made to the ad inventory to hopefully filter out these dodgy ads. Can people please let me know if they see them again and if possible take a screenshot?

 

[Woodzy]

Browsing the forums on my iPad and I was taken to the AppStore automatically very recently. Being an iPad it's likely that I clicked something for this to happen, but I'm convinced that I didn't.

 

[Eugenius]

I was reading the Moyes sacking thread on my nexus 7 and got a pop up telling me I needed flash player. I pressed the back button but it still took me to a fake Ad0be site where it forcefully downloaded what I assume to be a malicious exe file

 

[Madthinker]

At 17:15 (I think while browsing the 'invite only' thread, I got taken to update4.flashes-player.us, which forcibly downloaded a setup.exe and gave the usual spiel about needing to upgrade.

On Chrome/Windows 8.

 

[Woodzy]

I was reading the Moyes sacking thread on my nexus 7 and got a pop up telling me I needed flash player. I pressed the back button but it still took me to a fake Ad0be site where it forcefully downloaded what I assume to be a malicious exe file

I just got this on my desktop.

 

[Twigg]

Happened with me too, except the download.

 

[WeasteDevil]

You have something really naughty going on. At times when you refresh the page it redirects you to a page saying that you have to update Flash, which obviously Adobe would not do. It looks authentic but is asking people to install setup.exe from a dodgy site.

This has been happening all day. It happens even if you press F5 at times.

 

[WeasteDevil]

Happened with me too, except the download.

It's still happening, it has only been doing this to me today, but it seems that it has been going on all week.

 

[LR7]

Browsing the forums on my iPad and I was taken to the AppStore automatically very recently. Being an iPad it's likely that I clicked something for this to happen, but I'm convinced that I didn't.

I keep getting this. Definitely not clicking anything but taken to some game page in the AppStore.

 

[Niall]

You have something really naughty going on. At times when you refresh the page it redirects you to a page saying that you have to update Flash, which obviously Adobe would not do. It looks authentic but is asking people to install setup.exe from a dodgy site.

This has been happening all day. It happens even if you press F5 at times.

It's still happening, it has only been doing this to me today, but it seems that it has been going on all week.

I've removed the ad code which I think is the source of these Adobe ads. Please let me know if you keep seeing and what page you are on when it happens.

I keep getting this. Definitely not clicking anything but taken to some game page in the AppStore.

The iOS redirects is a widespread problem across many ad networks and I'm trying to filter them out as best I can. It's proving difficult though

 

[Revan]

Yeah, it happened to me today on my laptop too but my antivirus catched the malicious file.

 

[Grinner]

@Niall twice today I've clicked on a thread to open it and it's opened a pop-up ad in a new window.

 

[jojojo]

That fake flash player thing suddenly appeared on my network yesterday. Not just on the caf though. I ran a few tests. Turned out it was redirecting traffic that should have gone to google _ including site custom searches. It was actually a router worm rather than something on the machines.

 

[Twigg]

Yeah, I've been getting this on a lot of other sites too. When you say a router worm, do you mean it's in our routers or website's routers?

 

[jojojo]

My router. Linksys, netgear, tplink are under attack. I had to switch routers as there's currently no firmware/settings fix for the one I had that got infected.

 

[Twigg]

Got it again just now. Was redirected away from the caf.

 

[peterstorey]

I just got some shit popping up on android (not the usual suspects)

 

[Niall]

I just got some shit popping up on android (not the usual suspects)

Got it again just now. Was redirected away from the caf.

What page were you on? What were you redirected to / what popped up? Any screenshots?

 

[peterstorey]

It was a 'you have a virus alert'. No useful diagnostics I'm afraid

 

[Niall]

It was a 'you have a virus alert'. No useful diagnostics I'm afraid

Has it happened on any other site you've been on? Can you remember if you were you looking at a thread, the forum list or a thread list page?

 

[peterstorey]

Never seen it before, I think I was in a regular thread

 

[Niall]

Never seen it before, I think I was in a regular thread

What operating system and browser are you using?

 

[Ramshock]

Shouldnt this be a sticky? Seems to pop up quite regularly this thread

 

[peterstorey]

What operating system and browser are you using?

Chrome & android 442

 

[Crackers]

It might be an idea to open press f12 and looking at the console tab anytime you(or any of us) gets an error. Giving Niall the information from the link might be helpful.
@Niall could it be some sort of cross site scripting?

 

[Niall]

It might be an idea to open press f12 and looking at the console tab anytime you(or any of us) gets an error. Giving Niall the information from the link might be helpful.
@Niall could it be some sort of cross site scripting?

Doubt it. If there was a security hole in XenForo and somebody was injecting malicious code into content on the site, it would be happening to a lot more people.

It's either ads that have malicious javascript embedded in them (a big problem with many ad networks atm) or it's an issue on the user's end, possibly a hacked router as described by somebody else in this thread.

Either way, it's extremely difficult for me to track down and stop

 

[Silent_Running]

i just got an ad saying my pc has been locked due to me looking at child porn and i have to pay £100 fine to use my 'computer' again. I'm on my phone here but if i was at work and somebody saw that i would be seriously angry. As someone who doesn't look at child porn, I'm pretty upset about this and i think something needs to be done, Niall.

i had been getting other malware ads for 'flash player' installations and stuff like that, but this is a bit too far.

 

[Big-Red]

i just got an ad saying my pc has been locked due to me looking at child porn and i have to pay £100 fine to use my 'computer' again. I'm on my phone here but if i was at work and somebody saw that i would be seriously angry. As someone who doesn't look at child porn, I'm pretty upset about this and i think something needs to be done, Niall.

i had been getting other malware ads for 'flash player' installations and stuff like that, but this is a bit too far.

Thats a virus.

 

[Silent_Running]

Thats a virus.

on my (windows) phone?

 

[rcoobc]

i just got an ad saying my pc has been locked due to me looking at child porn and i have to pay £100 fine to use my 'computer' again. I'm on my phone here but if i was at work and somebody saw that i would be seriously angry. As someone who doesn't look at child porn, I'm pretty upset about this and i think something needs to be done, Niall.

i had been getting other malware ads for 'flash player' installations and stuff like that, but this is a bit too far.

(Sorry that's hilarious)

I haven't had these stupid things in ages. I recommend everyone get Avast for the phone. It might not be doing anything, buy I haven't got it in a while

 

[Big-Red]

on my (windows) phone?

I just know that the child porn warning thing is a well known virus. Theres something mad going on here though, I've yet to see any dodgy ads.

 

[jojojo]

I just know that the child porn warning thing is a well known virus. Theres something mad going on here though, I've yet to see any dodgy ads.

As I mentioned earlier, I did have a router get hacked a week or so ago that simultaneously put all these kinds of symptoms on all the gadgets in the house - phones and computers. It took me a few hours to understand the problem but since the router work that I did I've seen no recurrence - though I will say I'm getting more server busy messages from RedCafe than normal.

A common variant of the problem is Google and similar search sites getting diverted to Conduit Search either by changes in browser setting, entries in their hosts file, or by the individual machine (or the router) being switched to use a hacked or spoof DNS server. It wouldn't be a surprise if certain advertising server addresses are now being diverted as well.

I guess the other "why not everyone" thing is that context/target sensitive advertising may mean it really is just some ads that have something nasty embedded - right now my browser is busy trying to sell me flight tickets, cameras and flashAir cards but I'm sure that's not true for everyone.

 

[jojojo]

i just got an ad saying my pc has been locked due to me looking at child porn and i have to pay £100 fine to use my 'computer' again. I'm on my phone here but if i was at work and somebody saw that i would be seriously angry. As someone who doesn't look at child porn, I'm pretty upset about this and i think something needs to be done, Niall.

i had been getting other malware ads for 'flash player' installations and stuff like that, but this is a bit too far.

That sounds like the Windows classic known as the police virus
http://blog.vilmatech.com/metropoli...-remove-metropolitan-police-virus-completely/
I haven't seen it on a phone, but I don't see why they can't get it.
Do you have an AV program?

The most shocking version of it that I've seen included approximate location based on IP address and a photo of the "accused" taken with his webcam

 

[Member 60376]

Yes, ransomware

Backup your pc to some place safe @Silent_Running

Edit and an anti virus also

 

[rcoobc]

As I mentioned earlier, I did have a router get hacked a week or so ago that simultaneously put all these kinds of symptoms on all the gadgets in the house - phones and computers. It took me a few hours to understand the problem but since the router work that I did I've seen no recurrence - though I will say I'm getting more server busy messages from RedCafe than normal.

A common variant of the problem is Google and similar search sites getting diverted to Conduit Search either by changes in browser setting, entries in their hosts file, or by the individual machine (or the router) being switched to use a hacked or spoof DNS server. It wouldn't be a surprise if certain advertising server addresses are now being diverted as well.

I guess the other "why not everyone" thing is that context/target sensitive advertising may mean it really is just some ads that have something nasty embedded - right now my browser is busy trying to sell me flight tickets, cameras and flashAir cards but I'm sure that's not true for everyone.

This is a good point. My phone is trying to constantly sell me cash back credit cards and baby gates, jenga and monitors from Amazon. I havent seen any adverts but those on the caf for ages.