bconver

We just blocked that url from all channels but it may take a few minutes to process. Please let me know if you keep seeing it.

MoneyBagger

Thanks

I have no formal IT training, but have always been fairly competent/keen to learn when it comes to IT. I have had some spare time this week and spent a while on this case. I cannot stress how much Google is your friend though.

Anyone with basic website (HTML/java) knowledge could have worked it out, the key though was being able to replicate the problem with a logger tracking all the traffic (the redirect happens within a split second). I found a logger (HTML Analyzer) last night which does exactly that, but couldn't replicate the problem. However, it happened today and I was able look through the history (which is quite in depth) and work back from the redirect site with the malware back to the FT forums.

I think the key thing I missed was the fact that the redirects were intermittent. Initially I mistakenly thought there was an exploit in the forum software as there have been problems previously on other forums being exploited. But the intermittent nature shows it was coming from something on the site that rotates (i.e. a banner/advert).

I would be interested to know how the bogus site was able to operate a banner here. There appears to be no track record of the company/site and the domain name owners have a whois block service so you don't know where they are from.

SkeptiCallie

Good work, MoneyBagger! ^

Any ideas on the purpose of the redirect? Is the purpose likely just to "sell" bogus virus-removal programs?

MoneyBagger

Essentially yes. Here's how it works:

http://www.f-secure.com/weblog/archives/00002053.html
http://www.pcworld.com/businesscente...ssentials.html
http://blogs.technet.com/b/mmpc/arch...ake-innit.aspx

There are some good online sites which you can use to check if a site is legitimate or infected:

http://www.virustotal.com/ - Online virus scanner/site checker
http://urlquery.net/ - Site Scanner
http://www.unmaskparasites.com/ - Site Scanner
http://zulu.zscaler.com/ - Site scanner/inspector
http://www.avgthreatlabs.com/sitereports/ - Site scanner (part of AVG)

Letitride3c

Bravo, kudos & thanks to MoneyBagger for helping FT and rest of us - some of us knew something just isn't right ... Using Firefox on my own laptop now but when on the road, it isn't a matter of choice to avoid or not use IE 8 or 9.

When we had similar issues & popups randomly over at Cruisecritic dot com, it drove some of us nuts for weeks - and it was tracked down only a few weeks ago (the details & threads/links are mostly gone/deleted & no longer available to members) - my best recollection of the summary finding was that it was malware codes/scripts hidden in graphics/logos commonly used by CC members, and it got in & launched itself - very similiar MSE phony threat reports and offering to fix it (as we've saw them here on FT.)

Furthermore, the danger and risks pose is that, one's credit card/names & other personal info were exposed in the course of purchasing/authorizing/downloading the said "fixes" in solving the security problem - escalating and potential risking hundreds if not thousands in charges to one's CC account.

The practice goes back to the 1980's when we're surfing AOL and bragging about 56K modems - we've come a long way but the bad apples are still out there, and getting more sophisticated. My firewall, antivirus & spyware logs and reports all looked clean, deep & full scanning sweeps done showing no harm inflicted thus far, yet (fingers crossed )

SkeptiCallie

Thanks for the answer.

This whole matter did get me to download the real MSE yesterday. A quick scan shows no problem. Also, Malwarebytes' Anti-Malware shows no problem.

OverThereTooMuch

^^^^^

SanDiego1K

Thank you, MoneyBagger.

uk1

Well done. ^

Jay2261

Well done MoneyBagger!! :0) As someone else said IT should have picked up on this ages ago!

HawaiiTrvlr

Moneybagger, thanks for the information. Job well done. Hopefully FT recognizes you appropriately.

IBobi

Indeed

PotNoodle

The warning hasn't appeared so far so it looks like Money has solved the mystery.

If it weren't for you I doubt this issue would have ever been resolved. I hope too many people weren't put off visiting the site because of it.

g-didi

Have not had a recurrence today yet....

living near shamu

Finally, someone with mad skillz. Now if you could only become a moderator to help us out...