advertisement acts like virus, how to fix and prevent security bug?

Support and discussions for the x86/x64 Linux version of Pale Moon.

Moderators: trava90, Indalecio, satrow

seahorse41
Newbie
Newbie
Posts: 3
Joined: Wed Aug 02, 2017 6:35 pm

advertisement acts like virus, how to fix and prevent security bug?

Postby seahorse41 » Tue Sep 05, 2017 5:59 pm

A page's usual javascript advertisement opened a new tab, but this time what it loaded acted like a virus. What is the correct way to undo it, and how to prevent this from happening?
Since I took screenshots, I have Detail:
The new tab first shows a url of hxxp://secure.calch.gdn/performance/bdv_rd.dbm?enparms2=

followed by a lot of comma delimited numbers that goes off the right side.
The popup says:

Authentication Required
A username and password are being requested by hxxp://138.197.4.141. The site says: "Internet Security Alert: Your Computer Might be Infected by Harmful VirusesnCall Windows Technical Support: (Toll Free) (866) 564-0233 (Toll Free)"

/end popup message.
If I press Cancel, it proceeds to load a page. If I press X to close the app, it ignores me. The only way to stop it was to kill it from a terminal.

Next it opens a page that plays an audio file that thankfully isn't with an indian accent like I get on the telephone, but the sales pitch is familiar. I think the fraudsters are expanding their reach... but back to the facts:

The page it loads is url: hxxp://138.197.4.141/as/?c59aedd2db77fa0ftfn1d59aedd2db783e=(866) 564-0233

including that parenthesis and space not auto-included in the A href tag. and again the popup with the Authentication Required title.
My concern is next the popup, is it a safety stop by the browser, or since cancel PROCEEDED to this second page, is is actually being generated by the page, and is a fraudulent deception? :shock:

After killing the browser, and restarting it, the 2nd page auto-reloads, but I don't want this!! It again has the popup, and does not allow me to click anywhere else.
I need to find the command line way to start in safe mode, since the help provided so far by google search requires a setting while the browser is open, which is not an option in this case.

Is this a security hole? Please investigate and advise.

edit: I found the -safe-mode option, so I answered that question myself.
Version is:
Debian 8 Linux , palemoon package 27.4.2~repack-1
Last edited by Moonchild on Tue Sep 05, 2017 9:14 pm, edited 1 time in total.
Reason: Links killed to prevent fanatic clickers from hitting the trap -- http -> hxxp

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19450
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby Moonchild » Tue Sep 05, 2017 6:10 pm

Unfortunately evil trap sites like this abuse normal browser actions (in this case looping a basic http auth request). This is generated by the server you are directed to. Pressing cancel would normally return an "authentication failed" page, but the people who set up this site clearly abuse custom error pages to have you be redirected right back to the page you were on, repeating the process.

You can safely force-close the browser to get out of this mess.
If you close the browser forcefully, it will generally restart one time with the same windows and tabs automatically and will reload everything (unfortunately including the page that trapped you). If you force close it a second time when this happens, it will give you a session restore window where you can uncheck the "windows alert" tab so it will not be restored.

What you should do is contact the abuse department for 138.197.4.141 and inform them of this issue and that it is being abused to try and phish for people's credentials with fake scare tactics.

According to whois, this is abuse@digitalocean.com (a commonly abused virtual server provider). Provide them with the exact information you've given in this thread.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.
Image

User avatar
magic
New to the forum
New to the forum
Posts: 2
Joined: Tue Sep 05, 2017 3:29 pm

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby magic » Tue Sep 05, 2017 6:49 pm

If you're quick enough, you can close the tab with CTRL+W right after dismissing the authentication request by clicking on Cancel.

seahorse41
Newbie
Newbie
Posts: 3
Joined: Wed Aug 02, 2017 6:35 pm

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby seahorse41 » Thu Sep 07, 2017 8:58 pm

So it seems modifying history is part of HTML5, and calling history.pushState(0,0,uglyLongString) (and extending uglyLongString every loop for a hundred million times) is not a security flaw, I guess I'll drop it as a non issue.

Last idea then, there should be some means of killing a tab that has that authentication window up, just to make this a non-issue for the future.

josephd
Moonbather
Moonbather
Posts: 65
Joined: Tue Sep 09, 2014 12:15 pm
Location: Tennessee

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby josephd » Thu Sep 07, 2017 10:11 pm

May want to watch what you download. I found the following which may help.

In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.


http://www.deletevirus.net/secure-calch ... us-remove/

stevepusser
Fanatic
Fanatic
Posts: 234
Joined: Sat Aug 01, 2015 6:33 pm
Location: California

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby stevepusser » Fri Sep 08, 2017 2:45 am

josephd wrote:May want to watch what you download. I found the following which may help.

In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.


http://www.deletevirus.net/secure-calch ... us-remove/


That''s not impossible in Linux, but much, much more rare than in a certain other OS.

RJARRRPCGP
Moonbather
Moonbather
Posts: 66
Joined: Mon Jun 22, 2015 7:48 pm
Location: USA (Bellows Falls, Vermont)

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby RJARRRPCGP » Thu Sep 14, 2017 10:27 pm

Looks like typical malvertising.

Or you clicked on a fake download button... Whoever came up with those download buttons, deserves to be executed!!


Return to “Pale Moon for Linux”

Who is online

Users browsing this forum: CraigPD and 9 guests