Malicious redirect from google search
up vote
2
down vote
favorite
I encountered malicious redirects from Google Search results in two different laptops.
While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.
- None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.
- Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.
- Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).
- Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.
- DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP
- The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.
What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?
How could such a problem be traced to its cause?
Is this a new common thing I haven't heard about?
google-chrome malware
add a comment |
up vote
2
down vote
favorite
I encountered malicious redirects from Google Search results in two different laptops.
While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.
- None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.
- Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.
- Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).
- Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.
- DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP
- The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.
What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?
How could such a problem be traced to its cause?
Is this a new common thing I haven't heard about?
google-chrome malware
1
The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41
1
Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I encountered malicious redirects from Google Search results in two different laptops.
While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.
- None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.
- Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.
- Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).
- Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.
- DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP
- The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.
What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?
How could such a problem be traced to its cause?
Is this a new common thing I haven't heard about?
google-chrome malware
I encountered malicious redirects from Google Search results in two different laptops.
While browsing Google search results on chrome, I click on one of the links to a trusted https website. The click is somehow highjacked and lands me on a malicious site (clearly scam / phishing fake survey at best). If I close the malicious page and click again on the same link I'm redirected to the proper page. This happens randomly and very sparsely (twice a month aprox), so it's very difficult to reproduce at will.
- None of them have any dubious addons, or dubious software. Nothing sketchy on the installed software list.
- Chrome has the following addons installed: uBlock, u-Matrix, decentraleyes, httpseverywhere, and a few other (likely) irrelevant addons.
- Malwarebytes and Nod32 full scan is clean. Nothing dubious when checking with processExplorer or autoruns (with virus total submission enabled).
- Both laptops have different internet feeds, in fact they are in different cities. They have coexisted in the same network for a few weeks in the past.
- DNS configuration seems unaltered (automatic), when checked with ipconfig points to servers owned by the ISP
- The destination sites didn't seem the issue, they were reputable sites, last case (the only for which I can remember the site), from a big aerospace company, with no advertiser content, or 3rd party scripts apart from google analytics. The target website doesn't look like it even got loaded, I'm landed directly on malware domain, with no option to go "back" or no trace on the history of the original page.
What is the most likely explanation? Does this mean both computers are compromised by some kind of adware malware?
How could such a problem be traced to its cause?
Is this a new common thing I haven't heard about?
google-chrome malware
google-chrome malware
edited Nov 29 at 19:30
asked Nov 26 at 16:30
darmual
5811
5811
1
The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41
1
Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46
add a comment |
1
The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41
1
Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46
1
1
The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41
The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41
1
1
Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46
Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
I encountered malicious redirects from Google Search results in two different laptops.
Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.
Double check your search results for the "This site may be hacked" message such as this one:
Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.
Here is the example of such malware (see icon64s.png
file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler()
function), it's redirecting you to some malicious site.
You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.
Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26
You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
I encountered malicious redirects from Google Search results in two different laptops.
Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.
Double check your search results for the "This site may be hacked" message such as this one:
Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.
Here is the example of such malware (see icon64s.png
file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler()
function), it's redirecting you to some malicious site.
You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.
Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26
You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43
add a comment |
up vote
1
down vote
accepted
I encountered malicious redirects from Google Search results in two different laptops.
Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.
Double check your search results for the "This site may be hacked" message such as this one:
Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.
Here is the example of such malware (see icon64s.png
file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler()
function), it's redirecting you to some malicious site.
You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.
Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26
You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43
add a comment |
up vote
1
down vote
accepted
up vote
1
down vote
accepted
I encountered malicious redirects from Google Search results in two different laptops.
Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.
Double check your search results for the "This site may be hacked" message such as this one:
Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.
Here is the example of such malware (see icon64s.png
file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler()
function), it's redirecting you to some malicious site.
You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.
I encountered malicious redirects from Google Search results in two different laptops.
Maybe the problem isn't with your laptops, but the website it-self has been infected with a malware.
Double check your search results for the "This site may be hacked" message such as this one:
Some malware are smart, and they redirect you to the spam website only when you're coming from the search engine (such as Google), but when you open the page normally (when you go directly), the redirect won't happen. This way, the owner of the website won't notice malware presence when opening his own pages.
Here is the example of such malware (see icon64s.png
file). Once it gets loaded on the remote server, then when you're coming from the search engine (isCrawler()
function), it's redirecting you to some malicious site.
You can try to scan the website using online anti-virus (such as Virus Total or VirusDesk service), however if the malware has conditions to be present only when user is coming from the search engines, none of the services will detect it. At the end, it's just a redirect.
edited Nov 29 at 20:42
answered Nov 28 at 17:58
kenorb
10.5k1576108
10.5k1576108
Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26
You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43
add a comment |
Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26
You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43
Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26
Just opened the website from google search results from my cellphone (via LTE to have a different IP) got redirected to the scamy website! Apparently keeps track of IP and only redirects the first time (or after a really long time). Is there any way to make completely sure this is the case?
– darmual
Nov 29 at 19:26
You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43
You can try to scan it using Virus Total, however if the malware has condition on the backend to be activated only when coming from the search engines, I doubt you can detect it. At the end, it's just a redirect.
– kenorb
Nov 29 at 20:43
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1378506%2fmalicious-redirect-from-google-search%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
The behavior sounds like a malicious application. If this behavior persists across browsers it's definitely 3rd party. Check through your installed programs and uninstall anything that looks sketchy. If both computers are compromised make a list of applications that are installed on both computers and go from there.
– Bennett Yeo
Nov 26 at 16:41
1
Also suggest you try ESET eset.com/us/home/free-trial ; it has found a few malwares which Malwarebytes has missed. Both laptops on the same Internet feed? Your router could be compromised. Try them on a different connection, or change the DNS Server settings of the router to an open server as shown below. Once you have tried that, please click on edit and update the original post with what you've tried and the results; comments are for folks helping, your updates should go in your question.
– K7AAY
Nov 26 at 16:46