1. Attachments are working again! Check out this thread for more details and to report any other bugs.

Funny trojan pop-ups

Discussion in 'Fred's House of Pancakes' started by bwilson4web, Oct 25, 2017.

  1. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    So I was reading the news on my iPhone with visiting "Politifact", these gems showed up:

    [​IMG][​IMG][​IMG]
    Surprised, I tried it a second time and got it again. But it would not replicate a third time. So I smiled when went home.

    At home, I grinned to see this show up on a MacOS 10.13:
    [​IMG]

    Clearing the cache on the iPhone got the images on the iPhone that I made snapshots.

    Late, I went to Politifact facebook page and left a message with the screen shots. I suspect their revenue, ad generator was hacked. Regardless, I also share it with Apple so they can ignore it too.

    For fun, I did a: whois "subappbesttelephone.site"

    Other Domains exist on the IP 2400:cb00:2048:1::681b:86b6

    Website SFW
    Subappbesttelephone.site

    Affiliatedtm.com
    Enmistresskvinder.xyz
    Portable-anniegroup.tech
    Avalulri.ru
    Beaconhealthoptoins.com ​

    I am amused.

    Bob Wilson
     
    #1 bwilson4web, Oct 25, 2017
    Last edited: Oct 25, 2017
    RCO and pilotgrrl like this.
  2. pilotgrrl

    pilotgrrl Senior Member

    Joined:
    Jul 23, 2017
    891
    1,796
    0
    Location:
    Chicagoan in TX
    Vehicle:
    2016 Prius
    Model:
    Three
    At least it didn't tell you "iPhone user, you won a $500 Walmart gift card".

    Posted via the PriusChat mobile app.
     
    #2 pilotgrrl, Oct 25, 2017
    Kramah313 and RCO like this.
  3. bisco

    bisco cookie crumbler

    Joined:
    May 11, 2005
    108,693
    49,392
    0
    Location:
    boston
    Vehicle:
    2012 Prius Plug-in
    Model:
    Plug-in Base
    could this be the problem prodigy place mentioned in his thread regarding wifi weakness?
     
    #3 bisco, Oct 25, 2017
  4. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    I don’t think so.

    Bob Wilson
     
    #4 bwilson4web, Oct 25, 2017
  5. pilotgrrl

    pilotgrrl Senior Member

    Joined:
    Jul 23, 2017
    891
    1,796
    0
    Location:
    Chicagoan in TX
    Vehicle:
    2016 Prius
    Model:
    Three
    No, this is not related to KRACK. I've seen these on various Android phones.

    Posted via the PriusChat mobile app.
     
    #5 pilotgrrl, Oct 25, 2017
    RCO likes this.
  6. fuzzy1

    fuzzy1 Senior Member

    Joined:
    Feb 26, 2009
    17,315
    10,163
    90
    Location:
    Western Washington
    Vehicle:
    Other Hybrid
    Model:
    N/A
    This is one reason I still do most of my activity on a non-mobile device, with a browser that lets me turn off popups and advertising.

    Win10's Edge browser is completely unusable to me. It was hit was similar scams in less than one minute after first being opened the same day I set up this machine. Queries to Cortana that open up results in Edge are similarly hit within seconds.
    I'm being gypped! All the Walmart / Home Depot / Lowes / Costco / Sams Club / Amazon / Ebay / Walgreens / CVS /Target / Chase gift cards in the Quarantine folder of my legacy email are just $50, except for a rare $75.

    How did you qualify for more valuable scams? :)
     
    #6 fuzzy1, Oct 25, 2017
    Last edited: Oct 25, 2017
    RCO and hkmb like this.
  7. pilotgrrl

    pilotgrrl Senior Member

    Joined:
    Jul 23, 2017
    891
    1,796
    0
    Location:
    Chicagoan in TX
    Vehicle:
    2016 Prius
    Model:
    Three
    There are Android browsers that have pop-up blockers. The Samsung browser works well on non-Samsung devices.

    Posted via the PriusChat mobile app.
     
    #7 pilotgrrl, Oct 25, 2017
    RCO likes this.
  8. Prodigyplace

    Prodigyplace Senior Member

    Joined:
    Nov 1, 2016
    11,696
    11,318
    0
    Location:
    Central Virginia
    Vehicle:
    2017 Prius
    Model:
    Two
    On the iPhone there is s pop up block setting under Settings ->Safari. No additional software needed. I think it is on by default.
     
    #8 Prodigyplace, Oct 27, 2017
  9. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    The pop-up blocker is on but it looks like Politifact may be generating their own advertisement, pop-ups.

    Bob Wilson
     
    #9 bwilson4web, Oct 27, 2017
    RCO and Prodigyplace like this.
  10. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    Well the mystery popup showed up again and I was able to get a screen shot with:

    go.pushnative.com/ck.php? ....

    nslookup go.pushnative.com
    Server: 69.1.30.42
    Address: 69.1.30.42#53

    Non-authoritative answer:
    Name: go.pushnative.com
    Address: 188.42.162.170
    Name: go.pushnative.com
    Address: 188.42.162.211
    Name: go.pushnative.com
    Address: 188.42.162.146
    Name: go.pushnative.com
    Address: 88.85.82.156
    Name: go.pushnative.com
    Address: 188.42.162.246

    traceroute -m 20 188.42.162.211
    traceroute to 188.42.162.211 (188.42.162.211), 20 hops max, 52 byte packets
    1 192.168.0.1 (192.168.0.1) 2.105 ms 1.099 ms 1.119 ms
    2 24.214.48.1 (24.214.48.1) 12.108 ms 11.678 ms 9.040 ms
    3 static-69-73-0-29.knology.net (69.73.0.29) 11.439 ms 10.444 ms 9.546 ms
    4 user-24-96-153-141.knology.net (24.96.153.141) 9.945 ms 10.492 ms 10.293 ms
    5 user-24-96-153-73.knology.net (24.96.153.73) 32.334 ms 28.955 ms
    user-24-96-2-4.knology.net (24.96.2.4) 10.231 ms
    6 dynamic-76-73-195-237.knology.net (76.73.195.237) 27.608 ms
    dynamic-75-76-35-14.knology.net (75.76.35.14) 28.408 ms
    dynamic-76-73-195-237.knology.net (76.73.195.237) 26.377 ms
    7 dynamic-75-76-35-11.knology.net (75.76.35.11) 28.254 ms
    76-73-165-85.knology.net (76.73.165.85) 40.570 ms
    dynamic-75-76-35-11.knology.net (75.76.35.11) 30.308 ms
    8 dynamic-75-76-35-2.knology.net (75.76.35.2) 39.873 ms 37.399 ms 38.526 ms
    9 dynamic-75-76-35-2.knology.net (75.76.35.2) 32.307 ms 31.152 ms
    xe-11-1-0.edge2.chicago2.level3.net (4.53.74.117) 38.528 ms
    10 xe-11-1-0.edge2.chicago2.level3.net (4.53.74.117) 32.275 ms
    ip-transit.ear4.amsterdam1.level3.net (212.72.41.106) 126.463 ms
    ip-transit.ear4.amsterdam1.level3.net (212.72.41.102) 122.403 ms
    11 ip-transit.ear4.amsterdam1.level3.net (212.72.41.118) 115.824 ms *
    ip-transit.ear4.amsterdam1.level3.net (212.72.41.106) 122.925 ms

    I wonder if the far side of 'ip-transit.ear4.amsterdam1.level3.net' is Eastern Europe or Russia.

    Bob Wilson
     
    #10 bwilson4web, Oct 27, 2017
    RCO likes this.
  11. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    Cool! I've got the iPhone web site:

    ASCII art!

    nslookup mytechiebestdevwebs.site
    Server: 69.1.30.42
    Address: 69.1.30.42#53

    Non-authoritative answer:
    Name: mytechiebestdevwebs.site
    Address: 104.28.10.157
    Name: mytechiebestdevwebs.site
    Address: 104.28.11.157

    traceroute 104.28.10.157
    traceroute to 104.28.10.157 (104.28.10.157), 64 hops max, 52 byte packets
    1 192.168.0.1 (192.168.0.1) 5.506 ms 3.421 ms 3.358 ms
    2 24.214.48.1 (24.214.48.1) 8.805 ms 6.737 ms 10.519 ms
    3 static-69-73-0-29.knology.net (69.73.0.29) 12.670 ms 13.395 ms 11.246 ms
    4 user-24-96-153-141.knology.net (24.96.153.141) 9.920 ms 12.596 ms 10.861 ms
    5 user-24-96-2-4.knology.net (24.96.2.4) 11.088 ms 11.470 ms
    user-24-96-153-133.knology.net (24.96.153.133) 18.311 ms
    6 static-216-186-189-254.knology.net (216.186.189.254) 17.511 ms 17.488 ms 17.262 ms
    7 dynamic-75-76-35-117.knology.net (75.76.35.117) 19.838 ms
    dynamic-75-76-35-112.knology.net (75.76.35.112) 17.753 ms 18.561 ms
    8 dynamic-75-76-35-115.knology.net (75.76.35.115) 17.933 ms
    user-75-76-127-174.knology.net (75.76.127.174) 19.310 ms
    dynamic-75-76-35-115.knology.net (75.76.35.115) 19.063 ms
    9 198.32.132.136 (198.32.132.136) 18.925 ms 18.985 ms 18.305 ms
    10 104.28.10.157 (104.28.10.157) 17.271 ms 17.611 ms 18.455 ms

    $ traceroute 104.28.11.157
    traceroute to 104.28.11.157 (104.28.11.157), 64 hops max, 52 byte packets
    1 192.168.0.1 (192.168.0.1) 2.334 ms 1.015 ms 0.911 ms
    2 24.214.48.1 (24.214.48.1) 11.681 ms 8.965 ms 9.448 ms
    3 static-69-73-0-29.knology.net (69.73.0.29) 6.080 ms 22.186 ms 7.214 ms
    4 user-24-96-153-141.knology.net (24.96.153.141) 11.826 ms 10.892 ms 13.404 ms
    5 user-24-96-153-133.knology.net (24.96.153.133) 8.043 ms
    user-24-96-2-4.knology.net (24.96.2.4) 11.642 ms
    user-24-96-153-133.knology.net (24.96.153.133) 14.828 ms
    6 static-216-186-189-254.knology.net (216.186.189.254) 27.859 ms 27.173 ms 19.945 ms
    7 dynamic-75-76-35-117.knology.net (75.76.35.117) 20.606 ms 20.784 ms 17.890 ms
    8 user-75-76-127-174.knology.net (75.76.127.174) 22.129 ms
    dynamic-75-76-35-115.knology.net (75.76.35.115) 27.149 ms
    user-75-76-127-174.knology.net (75.76.127.174) 19.988 ms
    9 198.32.132.136 (198.32.132.136) 21.208 ms 19.189 ms 25.844 ms
    10 104.28.11.157 (104.28.11.157) 21.675 ms 19.061 ms 18.852 ms

    NetRange: 104.16.0.0 - 104.31.255.255
    CIDR: 104.16.0.0/12
    NetName: CLOUDFLARENET
    NetHandle: NET-104-16-0-0-1
    Parent: NET104 (NET-104-0-0-0-0)
    NetType: Direct Assignment
    OriginAS: AS13335
    Organization: Cloudflare, Inc. (CLOUD14)
    RegDate: 2014-03-28
    Updated: 2017-02-17
    Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
    Ref: https://whois.arin.net/rest/net/NET-104-16-0-0-1

    Humm, USA based?

    Bob Wilson
     
    #11 bwilson4web, Oct 27, 2017
    Last edited: Oct 28, 2017
  12. fuzzy1

    fuzzy1 Senior Member

    Joined:
    Feb 26, 2009
    17,315
    10,163
    90
    Location:
    Western Washington
    Vehicle:
    Other Hybrid
    Model:
    N/A
    I block more than popups. On my PC, Firefox add-ons are also blocking most advertising (numerous readers here have previously and repeatedly been served up with malware riding within advertisements) and all non-essential partner sites that provide additional page content to the whole website industry. The latter seem to be a major part of the Big Data / Databroker industry that tracks, profiles, and pigeonholes every web user or consumer or homo sapiens they can find.

    But the last time I checked (admittedly not recently), the Android revision of FF's toolset gave me far less control.

    I'm still a relative neophyte at this, and know that I cannot hide from them without far more expertise. But the less personal and consumer and political information they can get, the better.
     
    #12 fuzzy1, Oct 27, 2017
    Last edited: Oct 27, 2017
    RCO, bwilson4web and pilotgrrl like this.
  13. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    Speculation on my part, I wonder if this is a failing 'ransomware' effort?

    Now it gets to be fun. I've exported the malware URL:

    mytechiebestdevwebs.site
    (Without the payload, the URL delivers ASCII art.)

    The payload is ordinary 'command line' input:
    36caad8a-3790-4fc7-abf7-6cec47e29b6f/308fdf5c-c4e6-4fcd-a6f3-31b7833a4aa4/?contype=CABLE&device=MOBILE&osversion=IOS%2011.0&os=IOS&browser=Mobile%20Safari&lang=&isp=Wideopenwest%20Finance%20Llc&country=US&city=Huntsville&useragent=Mozilla%2F5.0%20%28iPhone%3B%20CPU%20iPhone%20OS%2011_0_3%20like%20Mac%20OS%20X%29%20AppleWebKit%2F604.1.38%20%28KHTML%2C%20like%20Gecko%29%20Version%2F11.0%20Mobile%2F15A432%20Safari%2F604.1&ip=216.186.138.42&brand=Apple&model=iPhone&var1=1387806&var2=&var3=&var4=&var5=&var6=&var7=&var8=&var9=&var10=&var11=&var12=&var13=&var14=&var15=&var17=&var18=&var19=&var20=&cmid=44011b9e-1644-41fb-90c3-7cc65db63586&lanid=8832afa7-d19c-4cec-982f-031d2ca39018&voluumdata=deprecated&eda=deprecated&cep=laCvTHy8fold2dQpHynCSTA5npzh8GHGXeD4jMSB_I-JK5EvVJIsI8FPUFfyEPS4u2d49FEOmvKU2MjAT2IPd4o96GMCzCS0OujvcBtw91vi6sm-sg88MnYfoawTYTDmUvoouUxHpDK6BpxVD4ay4QqzgEvQ0hIRyiXWLhqdeIKKzoHvXGS3O7aztn0PrpTOdt_k20fVh3KA-3DcKpzRamKAPKNObqI00L4-aJjQJjI&siteid=1387806&subid=385928352272

    Spreading out the payload arguments in a more human friendly form:
    ?contype=CABLE&
    device=MOBILE&
    osversion=IOS 11.0&
    os=IOS&
    browser=Mobile Safari&
    lang=&
    isp=Wideopenwest Finance Llc&
    country=US&
    city=Huntsville&
    useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_3 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A432 Safari/604.1&
    ip=216.186.138.42&
    brand=Apple&
    model=iPhone&
    var1=1387806&
    var2=&
    var3=&var4=&var5=&var6=&var7=&var8=&var9=&var10=&var11=&
    var12=&var13=&var14=&var15=&var17=&var18=&var19=&var20=&
    cmid=44011b9e-1644-41fb-90c3-7cc65db63586&
    lanid=8832afa7-d19c-4cec-982f-031d2ca39018&
    voluumdata=deprecated&
    eda=deprecated&
    cep=laCvTHy8fold2dQpHynCSTA5npzh8GHGXeD4jMSB_I-JK5EvVJIsI8FPUFfyEPS4u2d49FEOmvKU2MjAT2IPd4o96GMCzCS0OujvcBtw91vi6sm-sg88MnYfoawTYTDmUvoouUxHpDK6BpxVD4ay4QqzgEvQ0hIRyiXWLhqdeIKKzoHvXGS3O7aztn0PrpTOdt_k20fVh3KA-3DcKpzRamKAPKNObqI00L4-aJjQJjI&
    siteid=1387806&
    subid=385928352272
     
    #13 bwilson4web, Oct 28, 2017
    Last edited: Oct 28, 2017
  14. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    Strange 'facebook' response:

    [​IMG]

    Somehow I don't understand how a technical posting about a potential compromised web site is considered a violation of "Community Standards." It sure has me scratching my head.

    Bob Wilson
     
    #14 bwilson4web, Oct 28, 2017
    RCO likes this.
  15. fuzzy1

    fuzzy1 Senior Member

    Joined:
    Feb 26, 2009
    17,315
    10,163
    90
    Location:
    Western Washington
    Vehicle:
    Other Hybrid
    Model:
    N/A
    Can you appeal, or challenge them, to show how it supposedly violates their standards?
     
    #15 fuzzy1, Oct 28, 2017
    Prodigyplace likes this.
  16. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    If so, I haven't found it. So I sent private messages to a pair of my computer/network literate friends, a cousin and former co-worker. They were the primary folks I wanted to share the 'heads up' with as the rest of my clan are 'not so technical.'

    What pisses me off is I kinda liked hunting down the trojan. In years past, I would pursue SPAMMERs back to their source and try to get them shutdown. I'm still thinking about putting a firewall block on the "go.pushnative.com" IP addresses and then 'teasing' them.

    Bob Wilson
     
    #16 bwilson4web, Oct 28, 2017
    RCO likes this.
  17. bwilson4web

    bwilson4web BMW i3 and Model 3

    Joined:
    Nov 25, 2005
    27,372
    15,513
    0
    Location:
    Huntsville AL
    Vehicle:
    2018 Tesla Model 3
    Model:
    Prime Plus
    Turns out Google has a page for reporting malware web sites. After filing my report, they identified http://www.stopbadware.org and searching their database shows "pushnative.com" is on their list.

    I am pleased,
    Bob Wilson
     
    #17 bwilson4web, Oct 28, 2017
    RCO, fuzzy1 and Prodigyplace like this.
(You must log in or sign up to post here.)