đŸ Archived View for tilde.pink âș ~ssb22 âș shady.gmi captured on 2022-03-01 at 15:27:11. Gemini links have been rewritten to link to archived content
âŹ ïž Previous capture (2021-12-03)
âĄïž Next capture (2022-04-28)
-=-=-=-=-=-=-
If using Chrome on Android you may be browsing a benign website with no obvious advertising, only to find that when you tap on a link it opens a new tab to falsely say youâve won something, or falsely claim âVirus detected on your phone, click OK to start the cleaning processâ which *also replaces the tab of the site you were browsing* (presumably accessing it via window.opener) and *prevents you from pressing Back to resume reading that site*.
In one case I managed to catch how this rude interruption of an apparently calm website was being done, and itâs not pretty.â
The original page was written by a hobbyist about programming a certain old computer (certainly nothing to suggest malicious advertising deals), so I was expecting to uncover a case of the original siteâs server having been compromised i.e. broken into, and I planned to alert the hobbyistâs ISP once Iâd figured out some details about this break-in.
But the âhijackâ vector turned out to be much more mundane than that: the webmaster of the original site had used a statistics service called NedStatBasic (aka Motigo or WebStats4U) which had asked him to embed some Javascript that fetched instructions from their third-party server.âMotigoâs terms and conditions said âBy ordering the service level âFree of chargeâ you...allow Motigo to advertise on your...websiteâ (they might not have said this when the webmaster originally signed up, but he evidently didnât check for changes), and also said they work with advertising companies called Captify and Eyeota.âThey also had an indemnification clause, trying to pass legal responsibility for any bad behaviour of their service back to the original webmaster.â
The Motigo script created several divs with id âmotigoAdtagPopunderâ. The term âpop-underâ is used in Web advertising to refer to opening a new browser window *underneath* the present one, the idea being that the user will find it later and not know where it came from.âIt doesnât work so well if your foreground window is small enough for you to see whatâs happening behind, but they assume people browse maximised.âThat seems sneaky enough already, but on Android these tabs were popping up *over* the site (not under it) and, as mentioned above, sometimes *replacing* the site as wellâprobably *not* what any webmaster would want unless theyâre in it *purely* for advertising revenue (which wasnât the case here, because they were being given only *statistics* in exchange for this madness), and arguably also in breach of Motigoâs own contract if the phrase âadvertise on your websiteâ means *on* itânot *under* it or *over* it or *replacing* it, but *on* it, like traditional magazine advertising next to an articleâbut their lawyers will probably say âonâ somehow means âusingâ here.â
Motigoâs added âpop-underâ divs contained scripts from mirando.de fetching 302-redirects from an nginx server that inspects the browserâs User-Agent string (Lynx wasnât redirected unless run with -useragent); the eventual page had an iframe with source on AdNetworkPerformance.com (which had no homepage and cloaked their whois data, so we canât easily see which company is responsible), which served Javascript (from an OpenResty server) that eventually resulted in a 302 redirect to kuaptrk.com (registered to Mundo Media Ltd of Canada), and from there to an https page on ads.diamonds (one of the newer TLDs) who had again cloaked their whois, this time by using a proxy company in Hong Kong.â
The ads.diamonds page contained Javascript to manipulate the history of the âpop-underâ window (in case the user tried to use Back to close the tab on Android?) before loading another pageâa different one every timeâthat refreshed to trackmedia101.com (again cloaked via HK) which eventually redirected to one of several places, e.g.:
The fake âvirus detectedâ message was coming from a site called wsjpnxdm8u.top registered to a certain Lei Gao in Ningyang, Shandong and hosted on Amazon.âThis server was returning 404s to all other URLs.âAnother, similar message (âcorrupted with virus and battery has been damagedâ) was served from inbox-msg-cg000.gdn (falsely claiming to be Google; actually hosted on Amazon and registered to a company in Bangkok); this site contained code to activate the phoneâs vibration (as did some of the fake âyou have wonâ sites), and falsely threatens the user with âpermanent lockdownâ unless they install âTurbo Cleanerâ from Google Play, an application which, as far as I could tell from its .class files, didnât seem to do anything useful, but presumably they were hoping its in-app advertisements might get them more revenue than they were spending to spread it.âAnd I didnât see that theyâd compromised any ordinary web servers to do this, although we canât rule out the possibility that they found a way to bypass billing on the advertising network, since advertising money spent for the sole purpose of raising other advertising money does seem a bit wasteful if they donât have a particularly effective âmultiplierâ in the middle.â
Some routers can be set to block some of these sites (see below), but the obvious takeaway for responsible webmasters is donât use âfreeâ statistics services if you value your reputation.âUse Analog or similar instead, or if your ISP doesnât give you the logs then write your own call to another server if you must know; personally I donât mind not being given the logs at allâit means Iâm not tempted to fret about how many computers opened this or that one of my pages, which are just here for reference anyway.â
I am most certainly *not* going to recommend that original webmasterâs site to anyone, because I cannot in good conscience recommend a site that has become associated with so much intrusive false advertising.âIâm not even sure Iâd want to recommend a different site that happens to include that site in a âlinksâ section.â(I did attempt to contact the webmaster about this, but the email address they listed was no longer valid.)
It would be a pity if an otherwise good resource were tainted in this way by being *hosted* on a server thatâs paid for by aggressive advertising, but itâs doubly a pity that all this was because the original webmaster signed up to a mere *statistics service* that doesnât even pay his hosting bills.âHe wanted statistics about his readers, but at this rate he wonât *have* any readers, because theyâll be taken out of his site and put off from returning as soon as they try to tap one of his links.âIf you ran a library or bookshop, would you accept someoneâs offer to count your visitors if they reserved the right to grab said visitors by the scruff of the neck and drag them off to unsavoury places the moment they started to look at any of your items?â
Third-party statistics services are simply not worth the risk.â
If an Android device is being used on Wi-Fi, the router attached to the access point *might* be able to help block advertising networks that carry malicious payloads.âMany consumer routers can be configured to block on the browserâs outgoing Host: header, which covers only sites that donât yet use HTTPS; to go beyond that the router would have to interfere with DNS lookups, or block IPs (which change).
Based on the above experience Iâd certainly suggest blocking ads.diamonds and trackmedia101.com if not the others.â
Androidâs Wi-Fi settings has a per-connection âAdvanced optionsâ that let you set a proxy for the browser to use when on that Wi-Fi network.âTherefore if your routerâs blocking options are insufficient, you could apt-get install tinyproxy on a Raspberry Pi (with a static IP), set Filter in /etc/tinyproxy.conf to a file containing the domains you want to block (restart or send SIGHUP to make it re-read this file), and set this IP and port 8888 in the Advanced options of your home Wi-Fi network on the Android device (long tap on the connection, select âModify networkâ and enable the advanced options).âRemember to use iptables or other access controls if youâve set your router to send âDMZâ traffic to the Raspberry Pi.âIf tinyproxy sometimes gets âstuckâ, you could cron a periodic /etc/init.d/tinyproxy restart or try something else like ngx_http_proxy_connect_module (likely to require compiling from source).â
This proxy approach has the disadvantage of requiring a settings change on each device that uses your network, but it *does* mean you can block HTTPS sites at the domain level (tinyproxy detects the browserâs CONNECT request and denies it).
All material © Silas S. Brown unless otherwise stated. Android is a trademark of Google LLC. Google is a trademark of Google LLC. Javascript is a trademark of Oracle Corporation in the US. Raspberry Pi is a trademark of the Raspberry Pi Foundation. Wi-Fi is a trademark of the Wi-Fi Alliance. Any other trademarks I mentioned without realising are trademarks of their respective holders.