Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: 5 Billionth search scam

  1. #11
    Join Date
    Apr 2020
    Beans
    3

    Re: 5 Billionth search scam

    Hi. I found this thread on Google.

    I've encountered the "5 billionth search" thing twice now. Once when I was looking up a Youtube video for learning Polish, which had a link in the video description, which was posted a couple years ago, for some small/unheard of site about learning Polish. That was a couple days ago. I immediately closed the browser tab. Today, when I googled a local business and went to their site, I encountered the "5 billionth search" redirect a second time. I'm using Linux. You go to the website, and then it instantly redirects to a different domain name. You clicked on the legitimate domain, but then it redirects and looks like a spammy domain name instead of the original link you clicked on.

    I don't have much installed on this computer. In Firefox, I have HTTPS Everywhere, LastPass, and uBlock Origin installed. No other extensions.

    Do you think it's a phishing thing or a malware thing?

    My hypothesis is that, if someone were able to get malware on my computer, they'd be able to harvest info by doing keylogging or whatever. Why would they need me to manually input information into a website?

    I think the more likely explanation is that someone found a way to hack websites running certain software, and makes them redirect to phishing sites. They hack legitimate sites, but maybe they're just running a really old version of Wordpress or something. Once a hacker knows a way to exploit a certain security issue on web server software, such as a CMS or something, they can do it any number of times. Maybe it's a known vulnerability (a CVE) because the website hasn't been updated in a while.

    Neither the old Polish learning website nor the local business are tech companies. I also doubt they have a big budget for their website. They might've paid someone to set up a website, and then didn't bother with security updates. Many small/local businesses use CMSs, especially Wordpress. Wordpress can be secure if you install updates etc. but I'm guessing these small businesses don't know or care about security that much.

    I don't think it's malware on my computer running Linux.

    Long story short, I think the website got hacked, not my computer.

    What do you think of my hypothesis?

  2. #12
    Join Date
    Sep 2014
    Location
    United States
    Beans
    286
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: 5 Billionth search scam

    It's a likely hypothesis. Thanks for sharing.

    Could you please share the URLs with me if you still have them? Moderators will remove your post, so you can send them to me in a private message.

    If it's a 0-day, I will need to notify Debian security.

    It appears the common part of this problem is Google.

  3. #13
    Join Date
    Apr 2020
    Beans
    3

    Re: 5 Billionth search scam

    I don't remember the phishing URLs, and I don't remember the exact Polish learning website URL anymore (I cleared my history), but I do know the local business site, and I can message it to you if you want.

    EDIT: Additional info: this might be completely irrelevant, but maybe not. I forgot to mention that I also have ExpressVPN installed on my computer. Is this related? No idea. Just including this info. I've also heard of router malware, too. Like I read about how hacked routers change DNS or something. But my router is running DD-WRT, recently updated, and with no remote access enabled.

    I still think it's just a case of the websites being hacked and redirecting to phishing sites.

    EDIT 2: the "billionth search" scam didn't appear every single time I visited the website. Also, I remember reading about something called a traffic distribution system a while ago, which is software on a web server (used by criminals) that can selectively redirect a user to a web page or malicious payload. It can be based on many different factors, like user agent, cookies, browser, browser version, OS, etc. So one user will go to the link and see one thing, and another user can go to the same link and be redirected to something else entirely. This might not be a TDS, but it is weird that the scam didn't show up every time.

    EDIT 3: one of the websites I visited that had the "billionth search" redirect is in fact using Wordpress (and a ton of plugins). These articles might be related:
    https://portswigger.net/daily-swig/u...ordpress-sites
    https://securityboulevard.com/2020/0...url-redirects/

    Considering the fact that many people on social media complained about this same issue (websites redirecting to a phishing page), and they were on many different operating systems (iOS, Android, Windows, macOS, Linux), I think it's safe to say this is a website issue rather than a malware issue.
    Last edited by somelinuxuser123; April 2nd, 2020 at 08:24 PM.

  4. #14
    Join Date
    Sep 2019
    Beans
    2

    Re: 5 Billionth search scam

    Quote Originally Posted by EuclideanCoffee View Post
    First, I'm sorry that you felt so much anxiety over a typical search result. You shouldn't have such a negative experience just looking for furniture.

    Now though it is possible to have adware or spyware or malware advertise to you specifically, in this case I think it's unlikely malware but a Javascript function that read your browser agent and created a popup using your agent to make it seem like it was specifically targeting you. These are things available to websites simply because you browsed their webpage. With Javascript, software that is rendered by your browser, which means Firefox runs the software, you write a program that knows the following items about you.

    1. Your approximate location via your IP. Note, your IP is how your computer is addressed, and from this address a website and determine where you live easily.
    2. Your browser and sometimes your operating systems. This is how websites typically determine if you need to use the mobile version of their websites for example.
    3. Where you came from, your last click, meaning they know you arrived from Google or any other search engine website like duckduckgo.

    What does this mean?

    From this, we know that the website could've known all of this information without needing to spread malware, which is illegal and requires work. Because this is the easiest way to scam you, they will likely use the easiest method and not even worry about developing the malware you may have imagined. Though that malware is very possible, it's less likely in your situation.

    You should be safe. But you may also want to reformat your machine if you'd like.

    I'm writing some free software that I hope to have as an PPA (available to Ubuntu users) soon that should help with automating security vulnerabilities on your computer and assist with fixing them. Let me know if this would be something that interests you, and I can PM you the project. Or if anyone else is interested, simply send me a note via my visitor's page. I feel like posting in thread would be advertising, and I haven't checked the rules recently on that.

    Additional recommendations:
    1. Install addons that block scripts, such as ublock origin or umatrix.
    2. Install addons that ensures your traffic is encrypted, such as HTTPS Everywhere.
    3. Install addons for privacy such as privacybadger.
    thank you alot

  5. #15
    Join Date
    Sep 2014
    Location
    United States
    Beans
    286
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: 5 Billionth search scam

    This is appears to be a virus.

    Be sure to have all your updates installed and protection software installed as I mentioned earlier. I'll do some amateur digging.

    Edit: Confirmed this is related to website hacking. Keep your browsing safe, everyone.

    This website could possibly install software onto your computer. The best way to protect yourself is to not trust Javascript upon visiting a new website. See my post above, which is quoted.
    Last edited by EuclideanCoffee; April 4th, 2020 at 12:17 AM.

  6. #16
    Join Date
    Apr 2020
    Beans
    3

    Re: 5 Billionth search scam

    Are you really sure it's a virus instead of just a redirect on the site itself? Aside from going to a site and seeing the "5 billionth search" page, nothing else happened. No weird activity on my computer or online accounts. Now that I avoid the two websites where I saw that redirect, I'm not noticing anything out of the ordinary on my computer. I ran a ClamAV scan and it didn't find anything.

    If you really think it's malware, I will reinstall my OS. But it's a hassle to do so. If it's just a website redirect, rather than malicious code on my computer, then I'd rather not do that.

  7. #17
    Join Date
    Sep 2014
    Location
    United States
    Beans
    286
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: 5 Billionth search scam

    I guess I mean it's a site exploit. But it's malware regardless. Avoid websites that redirect. I would reinstall my os if this happened to me.

  8. #18
    Join Date
    Jul 2017
    Beans
    1

    Re: 5 Billionth search scam

    I ran into that scam a couple of months ago.

    I ran a search (with DuckDuckGo). I chose the first hit, which seemed a straightforward answer, and instead got a survey purporting to be by Firefox. I was suspicious of it, so I tried to go back one page, but it wouldn’t let, just dumping me on the same or similar pages. So I got back to my seach via browser history, tried again, and the same thing happened, but this time purporting to be a Google survey. So, I decided to search on this problem, something like ‘are these firefox surveys real’, finding them to be scams. Firefox advised checking your add-ons list for something suspicious. Well, there was nothing on there that I didn’t put there, so I thought that was a no go, but I did decide to remove Startpage which I'd installed a short time before but wasn't using any more. Then I clicked on that hit for a third time … and lo and behold it went through properly to a kosher web page. Never had it happen before; never had it happen since.


    Perhaps not definitive proof, I know, but it certainly looks as if Startpage was my problem.

  9. #19
    Join Date
    Sep 2014
    Location
    United States
    Beans
    286
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: 5 Billionth search scam

    Interesting. I don't think StartPage develops an add-on. It could be that someone has maliciously placed an add-on on the market place with hopes someone may use it thinking it's official.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •