Scammy Popup Ads on OzBargain (was: Site Redirects to DollarCreative and MacSafetyCheck?)

chocsyrup on 03/02/2019 - 21:50
Last edited 28/03/2019 - 19:33 by 3 other users

Moderator:

Browser hijacking is likely caused by malware already existed on a user's phone, and might be triggered by ads code on some websites (OzBargain is currently targeted). Googling Congratulations Google User yields predominately Safari on iPhone/iPad issues, rather than issues with the websites.

Here are some instructions from another company that manages display advertising on OzBargain:

The ad network believes that there is a piece of malware that infects Safari users which activates when accessing sites like OzBargain, The Guardian etc. The malware wasn't served by the ad network but instead probably picked up through another site.

Safari users can go to Setting → Advanced → Website Data → <name of site> → Delete the site. Or clear the data from all sites. They also recommend running a malware software like Malwarebytes.

As it seems the ads are possibly the trigger of the malware, blocking all ads on OzBargain should also fix things if the above doesn't help. Go to My Account → Edit → Banner ads: No Ads

For Safari users you can also turn on content blockers on iOS.

Original Post

Is anyone else having an issue with OzB redirecting to 'fake virus' sites? I find that if I have a bunch of tabs open, inevitably one OzB tab will redirect to DollarCreative and then something saying I have three viruses on my Mac. The weird thing is that I don't click anything to start the redirect (I don't even have the tab open…it just happens in the background). Plus, this is the only site that it happens with. It is only very recent (since Friday) and has probably happened maybe four times in the last three days…but only ever from OzBargain.

It first redirects to a site starting with https:// dollarcreative. com/click… [spaces added]
It ends up at a site starting with http:// mac-safety-check. com.oizfusnvyt.tckdz8w1fino2wn1ua.icu… [spaces added]

Looking around online, it seems that it has to do with rogue ads (eg, here and here )…but is anyone else having this issue?

Site Discussion

Comments

  • Moderatorneil on 12/03/2019 - 17:13

    The ad network believes that there is a piece of malware that infects Safari users which activates when accessing sites like OzBargain, The Guardian etc. The malware wasn't served by the ad network but instead probably picked up through another site.

    Safari users can go to Setting - Advanced - Website Data - nameofsite - delete the site. Or clear the data from all sites. They also recommend running a malware software like Malwarebytes.

    As it seems the ads are possibly the trigger of the malware, blocking all ads on OzBargain should also fix things if the above doesn't help. Go to My Account - Edit - Banner ads: - No Ads

    • Member 0230 on 13/03/2019 - 17:50

      Thanks for the update neil.

      Like most, I prefer not to see ads, but I really quite like OzB and know that a portion is also contributed to good causes, so… Option 1 for me.

    • Katie2014 on 13/03/2019 - 20:07

      Thanks for following up on this, neil. Might be time for me to finally retire Safari for good :)

      Safari users can go to Setting - Advanced - Website Data - nameofsite - delete the site. Or clear the data from all sites

      I've previously been unable to permanently delete all website data using this method, but found that the following steps worked (just in case anyone else has the same problem):

      Quit Safari

      In Finder, select Go on the menu bar, then Go to Folder

      Copy and paste ~/Library/Safari/Databases

      Delete the contents of the folder.

      • Member 0230 on 14/03/2019 - 22:37
        +1

        Hey @Katie2014, it may be worth noting that it's not just Safari that's targeted, e.g., "iOS Firefox hijack", "iOS Chrome hijack".

        I know from personal experience that our friends on Android suffer from browser hijacking as well, but the nature of this attack may be totally different.

        FWIW I use Chrome, Firefox and Safari, and I continue to find Safari an excellent browser on iOS (and the Mac).

        • Katie2014 on 19/03/2019 - 20:53
          +1

          Thanks for that info Member 0230. Perhaps I won't retire Safari just yet :)

          I'd been using the same three browsers as you as I'd found that competition entry pages sometimes display correctly using one browser but not others (also mentioned by Smalot11), so I'll keep using it for now.

  • [Deactivated] on 03/02/2019 - 22:07
    +13

    Most likely you have a virus or something on your computer that is causing this.

    • 87percent on 03/02/2019 - 22:13
      +1

      Most likely from all that porn you've been watching

      • [Deactivated] on 04/02/2019 - 00:11
        +4

        Uh oh.

        I think my computer would be more virus than software at this stage.

    • JIMB0 on 04/02/2019 - 05:39
      +2

      But macs can't get a virus. Just ask any apple fanboy.

      • bnebgnhunter on 04/02/2019 - 07:27

        They’re less executed on a Mac

  • onetrickpony on 03/02/2019 - 22:15
    +3

    Yup, same thing. And started around Friday too. Norton has started blocking them from late yesterday, but they keep returning on their own until I delete cookies. I thought it was just me, did a full system scan and found nothing. It usually happens when scrolling down the page. Telstra has blocked some of the pages as well.
    Fortunately I'm only 46, so plenty of time for it to all come good.

  • swapsey on 03/02/2019 - 22:15
    +1

    Download malwarebytes antivirus and let it do a check. It starts with free trial and then reverts to their free non-automated version. It’s a good bit of gear!

  • Clear on 03/02/2019 - 22:16
    +2

    Mac user? I'd recommend downloading Malwarebytes and scanning your system as there is definitely something somewhere causing the redirections.

    Also do you have ads enabled on OzBargain? While I seriously doubt the network is delivering malicious ads it's something for scotty and the team to check.

    • ragrum on 04/02/2019 - 01:27

      +1 for at least checking out the malvertising theory

  • [Deactivated] on 03/02/2019 - 22:18

    Are you using any adblocker with safari?

  • steven6 on 03/02/2019 - 23:04

    Is the fake virus page asking you to call a phone number or download malware?

  • [Deactivated] on 03/02/2019 - 23:20

    Also has been happening to me with similar details.

    I used Malwarebytes which initially picked up some things but the issue is still occurring and now the scan is running clean.
    Might genuinely be something up with the Ozbargain site as doesn't appear to affect my browsing elsewhere.

    • trustnoone on 04/02/2019 - 00:11

      Are you a Mac user? Are you running Safari as your browser?

      • [Deactivated] on 04/02/2019 - 00:19

        Y & Y.

        • trustnoone on 04/02/2019 - 00:37

          Interesting, assuming the others are running Safari too, I wonder if theres a rogue advertisement thats affecting only the Safari browsers which are why only Mac users are having an issue.

          • [Deactivated] on 04/02/2019 - 07:16

            @trustnoone: Can't believe people use safari still.

          • Katie2014 on 04/02/2019 - 10:23
            +1

            @trustnoone: I had this happen a couple of days ago as well, and you're right - it was only when I was using safari (I had no problems when using Firefox), and only when I was logged into OzBargain.

            FWIW I have Malwarebytes and the scan came up clean.

    • Member 0230 on 22/02/2019 - 23:15

      I had this happen around the same time as you all did (Jan / early Feb), and only on OzB.

      Then two nights ago my sister asked me why browsing OzB started bringing up these dodgy "you have a virus" sites.

  • [Deactivated] on 04/02/2019 - 08:17

    Have you checked that your router is not infected? We've had clients that have experienced hacks that occurred because their router got hacked (likely they never changed default password) and the router referred them to fake online banking sites.
    Just a thought and on what may cause a redirect.

    • [Deactivated] on 04/02/2019 - 12:55

      Mm interesting… is there any easy means of checking this?

      • [Deactivated] on 04/02/2019 - 13:15

        Preface: We're not IT security experts, just happen to have a working knowledge of the basics to protect financial information given our industry.

        Starting point to check/correct most common router security concerns:
        1. Hard reset the router back to factory default settings
        2. Install the latest firmware direct from router vendor
        3. Configure new settings/make sure to change password for router from what it was previously
        4. Optional: Consider using/inputting values for a DNS provider that may provide an element of security - for example https://www.quad9.net/ (or equivalent)

        Hope this helps

        • [Deactivated] on 04/02/2019 - 15:16

          Thank you for the detailed response.. I will give resetting the router and password a go (yes I am one of those that kept the password my 'kit' shipped with so can see the vulnerability).

          I would also ask is it possible it is related to malicious code running in certain ads that appear on the site?

          I know Google definitely does its best to stamp that kind of thing out, and even if it is said to be 'impossible' people with malicious intent often find a way to break things that get patched later, and then are broken again…

        • Member 0230 on 22/02/2019 - 23:17

          Thanks for the interesting thoughts re router. We use an Apple Time Capsule for that job, and definitely not using factory defaults.

  • Beanvee on 04/02/2019 - 14:18

    Some viruses will change your DNS server so that they can redirect you to their spam pages
    Follow this, check that it's automatic and hasn't been set to an unknown IP https://www.lifewire.com/how-to-change-dns-servers-in-window…

  • kaos on 04/02/2019 - 17:58

    if you're a Mac user some DNS redirectors will pass a Malwarebytes scan.
    1. you can check whether it is router or your machine by going to a mates place and using their wifi with your laptop, or if you have a big machine, get a neighbours permission to use their wifi as a test
    2. check if it is Safari or the whole machine by testing in Chrome or another browser
    2a. if it's only Safari, check your plugins
    3. check your DNS settings. Change them to 1.1.1.1 and 9.9.9.9, then use the internet and see if they change without your interaction

    if you have a positive result with 3, use a different computer to search up 'Mac DNS redirector'

    Shit, after typing all that out, most of it is in this article-

    https://www.thesafemac.com/eliminating-browser-redirects-and…

  • Moderatorneil on 06/02/2019 - 13:53

    We are investigating the issue and one lucky member of our staff is using Safari on their MAC to attempt to recreate the issue. If it is a malicious ad, we'll need to have the path/image source of it for removal. We've PMed those who received the redirects for more information.

  • kaos on 07/02/2019 - 12:20

    I use Safari on a Mac, do not currently have ad-blocking turned on and am not seeing these issues. If it helps, I had 3 of these pop up on the same day this week.
    Not sure of a solution that fits all cases- one seems to have been fixed by Malwarebytes and a colleague is working on another but it wasn't fixed by MWB.

  • Moderatorneil on 20/02/2019 - 21:14

    Someone sent me an article from IT Wire with the same issue for Guardian Australia. Something weird going on.

    A Safari user has complained of being redirected to what looks like a phishing site when he visits The Guardian Australia website.

    The user, who preferred to remain anonymous, told iTWire that he was first redirected to a site which did not load in full and displayed the name "coachtraffic.com" in the browser bar.

    He was then redirected to a page which loaded fully, with the domain reading mac-safetycheck.com followed by a number of letters which did not spell out any pronounceable word.

  • mightyboy on 25/02/2019 - 14:11

    I just got redirected on my iPhone using safari. Was browsing ozbargain front page and got an alert that said ‘congratulations google user’ and redirected me to another page. I shut it immediately so I can’t give further info. Seems like a rogue ad to me.

    • mightyboy on 25/02/2019 - 14:12

      On telstra mobile. Not wifi.

  • Member 0230 on 04/03/2019 - 22:28

    Is it worth continuing to post here whenever we experience this odd behaviour? Two days ago (Sat 2 March) I received a similar message to mighty boy while doing a search of all things — screenshot

    Congratulations!
    Google User!
    You've been selected as a winner for
    the free iPhone X 256G, $1000
    Amazon Giftcard or Samsung Galaxy
    S9!

    Please click OK to claim your prize
    before we give it away to somebody
    else.

    • Moderatorneil on 05/03/2019 - 23:07

      Yes, please keep letting us know. We don't really have a solution as we haven't been able to track down the issue as it seems to affect a tiny portion of users. Please clear your cache if you haven't already.

      • Member 0230 on 06/03/2019 - 12:43

        Roger that. Cache cleared also — I didn't do that on previous occasions.

      • Being Askhole on 07/03/2019 - 15:06

        Happened same to me as well atleast 5-6 times in past couple of month on iphone safari. I always cleared cache but still its pops up randomly.

  • StonedWizard on 19/03/2019 - 19:12
    Merged from OzBargain Re-Directs to Spam Site

    This randomly happens on my iPhone 7 when using Safari.

    I’ll be browsing and it will redirect me to google-com-win.

    I have to close the tab and re-open. It doesn’t happen with any other site.

    Any idea why this might be occurring and how I can get rid of it ? It’s been happening for a while.

    https://imgur.com/a/9l50rF2

    • spackbace on 19/03/2019 - 19:14

      Someone has malware…

      Run a scan

    • trustnoone on 19/03/2019 - 19:15

      I remember reading something similar a while back, wasn't on an iPhone though, but on their macbook and only using Safari people were being redirected to some spam sites. I figured it might be a rogue advertisement doing it, but I don't remember if anything happened to the thread (or if that was the case). Do you have ozBargain adds off to see if theres any difference?

      Might be something installed on your phone, worth checking what you have installed?

    • Katie2014 on 19/03/2019 - 19:20

      I had the same issue when using Safari (and only when I was logged into OzBargain).
      There's a discussion about it here: https://www.ozbargain.com.au/node/436226

      • StonedWizard on 19/03/2019 - 20:17

        Weird cause it's only happening on my phone not on my computer.

    • [Deactivated] on 19/03/2019 - 19:21

      Google advertising on Safari. It's really shameful that Google allows it.

  • eecchhoo on 22/03/2019 - 13:02

    Got the ad only on ozbargain page. Got it this morning on iPhone and safari browser

  • ONSALE on 23/03/2019 - 14:06

    This has been happening for weeks on end now. I have been getting Congratulations! Google User! etc etc every time I use ozbargain on my iphone. Example from today https://imgur.com/wp43ivN
    Every time it happens I immediately clear history and website data but is still comes back and always on ozbargain.I found this post by typing “Congratulations! Google User! ozbargain” in a search and found this post. I bet there are heaps of people on here that its happening to but haven’t found this post or commented yet.
    It is so annoying :-(

  • Moderatorneil on 23/03/2019 - 14:25

    I suggest for everyone experiencing problems to block ads Go to My Account - Edit - Banner ads: - No Ads.

  • z z on 27/03/2019 - 10:39
    Merged from OzBargain Domain Redirected to Gifts-for-You Dot Com without Any Interaction Required

    Hi forum folks,

    Today I've started getting pop-up style adverts when in the default OzBargain domain https://www.ozbargain.com.au/ , on a non-jail broken iPhone 8 Plus (iOS 12.1.14), when visiting the Ozbargain website. Tried in a private and non-private tab.

    The particular URL given is gifts-for-you dot com. A user doesn't need to touch or select any option for this redirection to occur. (The browser is actually redirected to this dodgy looking site — so it's not a pop-up you can close).

    I've tried the standard Ozbargain URL on other iOS devices too, and I'm getting the same pop up appearing (when I say pop-up, it's actually redirecting the device away from Ozbargain, to the URL above).

    I'm sure this isn't usual behaviour. Any ideas what's happening, and why it's happening to iOS devices?

    Thank you…

    • Moderatorneil on 27/03/2019 - 11:00

      Safari users can go to Setting - Advanced - Website Data - nameofsite - delete the site. Or clear the data from all sites. They also recommend running a malware software like Malwarebytes.

      As it seems the ads are possibly the trigger of the malware, blocking all ads on OzBargain should also fix things if the above doesn't help. Go to My Account - Edit - Banner ads: - No Ads

      Follow that and let us know how you go.

  • obiwanmy on 27/03/2019 - 10:41

    Same here getting this on my non-jailed break iphone X …

  • z z on 27/03/2019 - 11:02

    With DNS subversion as a possible reason for this; the devices I've seen it happen to have had different DNS entries. E.g. Optus, iiNet, Google etc. So I'm suspicious that that may not be the reason for this instance of the redirections… Are other people using their ISP's default DNS? Or on Wi-Fi with a particular host DNS set?

  • AustriaBargain on 27/03/2019 - 12:56

    I’m getting this, only on ozbargain. I figured the OZB admins just made a deal with the scammers, making money from each redirect. It redirects 15 times in a row, so it’s impossible just to go back to OZB.

  • try2bhelpful on 27/03/2019 - 12:59

    I'm getting the issue with my iPad. I've cleaned out the history etc of my browser and have nothing in Website Data at the moment. I will see whether the issue comes back.

  • kokopop on 27/03/2019 - 14:00
    Merged from Pop-Ups on iPhone While Using Safari

    Hi

    As of just today I'm getting an ad/pop-up on OzBargain website only on my iPhone while using safari browser.

    Not sure if pop-up is the actual issue, as I get taken to website "gifts-for-you.online" and then immediately get the pop-up which states:

    "Camberwell - Congratulations data Telstra internet user ……. ". Pop-up has OK button.

    At this stage I close down Safari and go to iPhone Safari settings and clear cookies, website data, but it keeps popping up if I return to OzBargain website.

    Is this a website issue or is my iPhone infected with something ?

    Appreciate any help/advice.

    Thanks

    Pop

    • 87percent on 27/03/2019 - 14:04

      likely your phone…

  • z z on 27/03/2019 - 16:08

    Sounds more like a dodgy advert to me. There is an update out from Apple now for iOS (iOS 12.2 is out now), so I wonder if there is a little security fix in Safari tucked away that might reduce this from happening…

  • Katie2014 on 27/03/2019 - 19:15

    Has anyone had anything show up after running a Malwarebytes or Antivirus scan?

    I've run several scans since this first happened on my macbook, but all have come up clean…

    I've switched off ads, and am no longer using Safari to visit OzBargain, so no more issues here, but it'd be good to know if others have found Malware (and which Antivirus and/or anti-malware software they used to find it)

  • Moderatorneil on 27/03/2019 - 20:28

    Not sure if this will help however there is an important security update from Apple, 12.2.

    • try2bhelpful on 27/03/2019 - 23:02

      Updated to iOS 12.2 still have the issue with iPad.

  • Clear on 27/03/2019 - 21:28

    This clickjacking issue has previously been present in Android for years. Normally ads have exploited iframe or similar to achieve the redirection to malicious websites. In April last year Google rolled out an update for Chrome (Android & Desktop) that actually helps to prevent this from happening.

    Framebusting requires same-origin or a user gesture
    Don't permit an iframe to navigate the top level browsing context unless they are same-origin or the iframe is processing a user gesture. – Mac, Windows, Linux, Chrome OS, Android

    enable-framebusting-needs-sameorigin-or-usergesture

    The problem with iOS devices is that this feature is not available in Safari or their hidden 'Experimental WebKit Features' menu. Sure Apple have a Content Blocker in Settings, but it seems to be ineffective against this method of clickjacking. Until Apple fix this you're either going to have to deal with it or block ads completely in my opinion.

  • Katie2014 on 27/03/2019 - 22:33

    Looks like it's happening to Whirlpool users too: iOS safari google prize pop up every couple days

    • Moderatorneil on 27/03/2019 - 23:19

      Interesting, we'll give them a bell and see if they have any thoughts.

    • Katie2014 on 28/03/2019 - 10:43

      Also Big Footy and Reddit

  • Eatoff on 28/03/2019 - 18:48
    Merged from Full Screen Optus Ad on Mobile

    Can we please not have full screen ads on ozbargain? It's an Optus one that fills the entire screen, with a small X in the top right to close.

    Here is the screenshot - http://imgur.com/a/li58drE

    • No Username on 28/03/2019 - 18:53
      +2

      Turn off ads in settings?

      • Eatoff on 28/03/2019 - 19:56

        I had no idea this was a thing. Done.

    • [Deactivated] on 28/03/2019 - 19:24
      +1

      I thought there was not advertising when logged in?

      • Clear on 28/03/2019 - 21:17
        +1

        You have to opt out in your settings.

    • scotty on 29/03/2019 - 09:22

      That appears to be a different variation of ads — not scammy but definitely spammy as it takes over the whole screen. It has been reported and we'll see how quickly the ads get taken down.

  • TheRandomWizard on 12/04/2019 - 09:01
    Merged from Intrusive and Very Annoying Full Screen Ad on OzBargain

    Started getting this this morning. Anyone else?

    Accidentally triggered it once while trying to close it for the third time. It lead to some website advertising bananas.

    Screenshot : https://cdn.discordapp.com/attachments/401560808762507265/56…

    • indium on 12/04/2019 - 09:29

      My Account > Settings > Account > Banner Ads > No Ads

    • Gandalf the Thrifty on 12/04/2019 - 16:43

      Use Brave or Firefox then no ads anywhere

  • nix1016 on 17/07/2019 - 12:15
    Merged from Pop out Full Screen Ad?

    I’m not sure if it’s just me but I’m getting a full screen pop-out ad when browsing OzBargain on my iPhone. I’ve tried both chrome and safari and I’m getting the ad on both and only on this site for some reason. I’m not sure if I’ve got malware or if anyone else is getting this.

    This is what the ad looks like. Seems to have started happening only today.

    • Moderatorneil on 17/07/2019 - 13:01
      • Please make sure your iPhone is updated
      • Go to Setting - Advanced - Website Data - nameofsite (where spongebob linked to) - delete the site. Or clear the data from all sites.
      • Run malware software like Malwarebytes.

      If it still continues, then please just use My Account - Edit - Banner ads: - No Ads

  • altitudinous on 23/08/2019 - 11:31
    Merged from OzBargain Links Redirect to Malicious Sites?

    Hello!

    I am having an issue with ozbargain - sometimes I click on a normal link but instead of going to the expected desitination - e.g ebay or wherever the bargain is, I end up directed through a few malicious sites and end up on a fake Flash Player install page.

    It only happens on ozbargain - no other websites I access, and only happens on about 1 in 15 or so clicks? Normally I would suspect something running in the background of my mac, but I'm not running any plugins in the browser and my mac is clean, I'm not running any adblockers, it is in Safari. I'm an IT professional, it seems very strange that this would only happen on Ozbargain.

    Is this something others are experiencing or have experienced?

    Cheers.

    • trustnoone on 23/08/2019 - 11:41

      I swear I've seen similar problems on OzBargain forums, and they all seem to be related to Safari on a Mac, may not be the case but worth checking:
      https://www.ozbargain.com.au/node/436226

    • Moderatorneil on 23/08/2019 - 11:50

      Safari users can go to Setting - Advanced - Website Data - nameofsite - delete the site. Or clear the data from all sites. They also recommend running a malware software like Malwarebytes.

      As it seems the ads are possibly the trigger of the malware, blocking all ads on OzBargain should also fix things if the above doesn't help. Go to My Account - Edit - Banner ads: - No Ads

      Follow that and let us know how you go.

      • altitudinous on 23/08/2019 - 17:17

        Thanks for your reply. I'll give these steps a shot. Cheers.

Login or Join to leave a comment
Login Join