Malicious redirect from google search











up vote
2
down vote

favorite
1












I encountered malicious redirects from Google Search results in two different laptops.



While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.




  • None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.

  • Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.

  • Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).

  • Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.

  • DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP

  • The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.


What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?



How could such a problem be traced to its cause?



Is this a new common thing I haven't heard about?










share|improve this question




















  • 1




    The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
    – Bennett Yeo
    Nov 26 at 16:41








  • 1




    Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
    – K7AAY
    Nov 26 at 16:46

















up vote
2
down vote

favorite
1












I encountered malicious redirects from Google Search results in two different laptops.



While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.




  • None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.

  • Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.

  • Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).

  • Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.

  • DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP

  • The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.


What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?



How could such a problem be traced to its cause?



Is this a new common thing I haven't heard about?










share|improve this question




















  • 1




    The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
    – Bennett Yeo
    Nov 26 at 16:41








  • 1




    Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
    – K7AAY
    Nov 26 at 16:46















up vote
2
down vote

favorite
1









up vote
2
down vote

favorite
1






1





I encountered malicious redirects from Google Search results in two different laptops.



While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.




  • None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.

  • Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.

  • Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).

  • Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.

  • DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP

  • The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.


What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?



How could such a problem be traced to its cause?



Is this a new common thing I haven't heard about?










share|improve this question















I encountered malicious redirects from Google Search results in two different laptops.



While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.




  • None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.

  • Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.

  • Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).

  • Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.

  • DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP

  • The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.


What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?



How could such a problem be traced to its cause?



Is this a new common thing I haven't heard about?







google-chrome malware






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 29 at 19:30

























asked Nov 26 at 16:30









darmual

5811




5811








  • 1




    The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
    – Bennett Yeo
    Nov 26 at 16:41








  • 1




    Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
    – K7AAY
    Nov 26 at 16:46
















  • 1




    The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
    – Bennett Yeo
    Nov 26 at 16:41








  • 1




    Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
    – K7AAY
    Nov 26 at 16:46










1




1




The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41






The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41






1




1




Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46






Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46












1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted











I encountered malicious redirects from Google Search results in two different laptops.




Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.



Double check your search results for the "This site may be hacked" message such as this one:



Google Search - "This site may be hacked" message



Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.





Here is the example of such malware (see icon64s.png file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler() function), it's redirecting you to some malicious site.





You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.






share|improve this answer























  • Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
    – darmual
    Nov 29 at 19:26










  • You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
    – kenorb
    Nov 29 at 20:43













Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1378506%2fmalicious-redirect-from-google-search%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted











I encountered malicious redirects from Google Search results in two different laptops.




Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.



Double check your search results for the "This site may be hacked" message such as this one:



Google Search - "This site may be hacked" message



Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.





Here is the example of such malware (see icon64s.png file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler() function), it's redirecting you to some malicious site.





You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.






share|improve this answer























  • Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
    – darmual
    Nov 29 at 19:26










  • You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
    – kenorb
    Nov 29 at 20:43

















up vote
1
down vote



accepted











I encountered malicious redirects from Google Search results in two different laptops.




Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.



Double check your search results for the "This site may be hacked" message such as this one:



Google Search - "This site may be hacked" message



Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.





Here is the example of such malware (see icon64s.png file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler() function), it's redirecting you to some malicious site.





You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.






share|improve this answer























  • Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
    – darmual
    Nov 29 at 19:26










  • You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
    – kenorb
    Nov 29 at 20:43















up vote
1
down vote



accepted







up vote
1
down vote



accepted







I encountered malicious redirects from Google Search results in two different laptops.




Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.



Double check your search results for the "This site may be hacked" message such as this one:



Google Search - "This site may be hacked" message



Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.





Here is the example of such malware (see icon64s.png file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler() function), it's redirecting you to some malicious site.





You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.






share|improve this answer















I encountered malicious redirects from Google Search results in two different laptops.




Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.



Double check your search results for the "This site may be hacked" message such as this one:



Google Search - "This site may be hacked" message



Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.





Here is the example of such malware (see icon64s.png file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler() function), it's redirecting you to some malicious site.





You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 29 at 20:42

























answered Nov 28 at 17:58









kenorb

10.5k1576108




10.5k1576108












  • Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
    – darmual
    Nov 29 at 19:26










  • You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
    – kenorb
    Nov 29 at 20:43




















  • Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
    – darmual
    Nov 29 at 19:26










  • You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
    – kenorb
    Nov 29 at 20:43


















Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26




Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26












You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43






You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43




















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1378506%2fmalicious-redirect-from-google-search%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

Mangá

Eduardo VII do Reino Unido