Safari browser redirects became an obnoxious problem a few weeks back, when both my iPhone and iPad began to auto-redirect to a fake app store and to a few unsavory sites (like freecamsecrets). Most of the time the redirects would occur while I was browsing Facebook or clicking a link in Gmail. Occasionally, Safari browser redirects would occur while using Google search on an iOS device. I searched the discussion forums at Apple and around the web with little success in coming up with any solution to my redirect woes.
Safari Browser Redirects on Work Wi-Fi
The browser redirects only occurred at work and from different locations inside and outside our office building. I had zero redirects on my iOS devices when using a different Wi-Fi network at home. Regardless, the initial redirect problem somehow involved Wi-Fi at work. At first, the redirects were sporadic. Clicking on the donate button at FightForTheFuture.org would spawn the site freecamsecrets and attempting to login at mobile.Experts-exchange.com would produce a loop of redirects until I would eventually land at a site like systemupdate.com-com.co. I was thinking that perhaps some of these legitimate and trusted sites might be running bad ads (without their knowledge).The work router concept was still sitting in the background of my mind collecting dust…
I am not totally clueless as to how the browser hijacks actually began. I can only relate it to my trip across country from New Hampshire to Oregon. After driving fourteen hours I finally hit downtown Chicago and managed to drive through two stop signs, and was promptly busted by the Chicago PD. I both laughed and cried, I may have looked a bit insane too. At that time I told them that I had a perfect driving record for 21 years (and I was proud of it). My goal was to get to the Hostel (that I initially booked a room at), take a hot shower, and die.
Fortunately (for me), they were Chicago’s finest and dismissed my driving indiscretions. They also gave me adequate directions to the Hostel. But, when I checked out of the Hostel the next morning — another crisis hit, I could not find my car. I walked from parking lot to parking lot and all the lots looked like identical twins, triplets, and quadruplets to my exhausted eyes. I was thinking whoa gal, you are so screwed now.
I called the City of Chicago and explained my dilemma. The first thing they asked me was for a description of my car and my license plate number. I had the description down, but, I did not have my license plate number memorized. I soon learned that when I park in the city that I should always take a snapshot reminder of the parking location and also include my license plate number.
It is always helpful to be aware of your location and what network you are using when you begin to see strange things occur on your device(s) — this will minimize the time you spend during the troubleshooting process.
Color Me Blind
No, I did not know my plate number offhand. I gave them the description of the rooftop cargo bag (my savior) and 45 minutes later I was heading toward Nebraska. Thank you Chicago! So, what does losing my car in Chicago have to do with the point I am attempting to make here? Simply stated — Safari browser redirects did not include a clear trail back to the home base. The redirects were always random, or so I thought…
At the start of June, while performing an ipconfig /all on my laptop I noticed a third static DNS entry directed to IP: 220.127.116.110. Strange. I was only accustomed to seeing Charter IP’s of 18.104.22.168, & 22.214.171.124, so a third static DNS IP was rather odd. Once again, I did not relate this to my location in the office building. So, I head back into my office and run scanners for malware, antivirus, and online security scans — I was over the edge and in the crock-pot of a potential have-I-been-hacked panic attack.
So, I switched my laptop to OpenDNS, and this appeared to resolve my problem immediately. I was ecstatic. The following week I began to experience Internet connectivity problems and went through network troubleshooting and deleted my network adapter and re-installed it. I also checked the main office router and found static DNS entries that did not belong to Charter cable: IP: 126.96.36.199 | 188.8.131.52. Bummer. I restored the original router configuration and changed the password.
They came back
The bad ads came back in different locations (mainly when I was outside on the patio and in different sections of the office building), and though they became more aggressive the further distance I was away from my office — there was still some confusion regarding their point of origin — you will find out why soon.
Performing a simple Google mobile search redirected me to this Battery Doctor popup:
If I had clicked on OK, I would have been redirected to a fake App Store. Next, Clicking on login at Experts-Exchange.com would redirect me to a popup like this:
Though there were some subtle hints over the course of a few weeks — Paige (down the hall) screaming that porn had invaded her computer, and Tommy (across from my office) scratching his head over a security app that appeared to be taking control of his computer — I just assumed that since they were both running XP that they were vulnerable anyway. I gave them both a quick rundown on what applications to use to get rid of their nasties and told them both that they need to move away from XP and consider ordering a more current operating system. They both ended up ordering new computers.
With the XP blow-ups out of sight and out of mind —I though that the Safari browser redirects might be a MitM [man-in-the-middle attack], since my main [wired] workstation (that was directly connected to my router) in my office was not affected. I did not notice any current misbehavior with my laptop either, until last Friday when I took it outside to work on the back patio again. Once it auto-connected to work WiFi, all hell broke loose. The first suspicious hint was a 2014 annual Firefox visitor survey advertisement that redirected my browser to all.rewardvein<dot>eu [Apache/2,2.15].
When I am at work I am almost always connected to my office WiFi, so that is why the browser redirects were so sporadic at first. My office WiFi probably went down on Friday, so that would explain why my devices and laptop auto-connected to work WiFi.
dollfield.eu: [Amazon Elastic IP: 184.108.40.206 | 220.127.116.11]
This domain was registered on May 8, 2014 and already has an Alexa rank of 11,848. For distribution purposes — it utilizes a subdomain with a long URL. This site is located on an outdated web server: Apache/2.2.15.
Though I have the latest version of Firefox on my laptop — I was prompted by a popup to update my browser while connected to work WiFi. Next, another rogue Firefox advertisement personally selected me to take part in their 2014 Annual Visitor Survey [rewardvin.eu, /same server as dollfield.eu].
While still sitting on the back patio staring down at my laptop — ads and popups began to scurry around my screen like cockroaches. I became even more irritated when downloadju.com attempted to highjack Firefox via this popup warning:
I soon began to suspect that the common denominator had to be the main work router.
I did not set up the work router (I have my own office router for security reasons), though I do login (locally) to the work router when it needs to be rebooted. I assumed that since the router was replaced and configured a year ago (by a local security professional), that I did not need to check anything. Don’t ever assume that you are secure in your workplace (specifically if the office building consists of small businesses) — check and recheck EVERYTHING.
On Friday i logged back into the work router and Charter Cable Static DNS was completely removed and replaced with IPs: 18.104.22.168 | 22.214.171.124. They could not have hacked a second complex password. Once again, I restored the router configuration and searched Linksys support articles and discovered that the work router had the Moon worm.I upgraded the firmware, disabled remote management, and powercycled the router.
The Moon Worm was not doing much damage back in February, though it certainly appears to have picked up some speed in distribution of adware and potential malware payloads since then. All I know is that this particular worm visited the work router within the past few weeks. How do I know this? I generally reboot the work router about twice a month and Charter static DNS servers was always present. So, it is probably time to get all the old Linksys router firmware upgraded and follow these instructions.
Have you had any similar experiences — where the answer was staring you in the face and you did not see it?