Notification of security issue
Earlier today, we noticed a security issue on the site that showed a malicious intermediary page to visitors. This page asked visitors to update their browser to continue viewing the content.
There may have been different messages, depending on the web browser used. Firefox users, for instance, may have seen a “you need to update your browser to view the content” notification and an “update Firefox” button on the page.
We reacted quickly to the security issue and have resolved it. The investigation is still ongoing and we are still in the process of validating the site’s databases and content.
We would like to ask anyone who interacted with the malicious content to scan their systems with up to date antivirus software. Some options include Bitdefender Antivirus Free, Avast Free Antivirus or the built-in Microsoft Defender on Windows.
We will share additional information on the issue once we have completed the investigation.
Advertisement
I see NO updates. I guess you just want us to trust you.
Martin, are you having more security problems or database purges, and roll backs as of today: 25 September 2023.
Because comments are randomly disappearing again; similar to what I described at the top of this page (#comment-4574063). That instability can only be server-side or at your end.
Could this be malvertising ? Another, not so well known attribute of the wonderful ad industry is being a major vector for malware infection. I mean, apart from their own usual and ubiquitous spyware and adware of course, that all antivirus have stopped flagging many years ago.
They got me in the first half, not gonna lie :D
I have seen that message and got angry at Microsoft for making such a dumb move like those pop ups discouraging user from installing Chrome. Especially when it got through ublock. The link under the Update button also looked legit redirecting to MSFT site.
Then the consciousness came back, and I checked the page source. At least I didn’t click any of the links and scanned the PC right after.
Martin, what loose timeframe (the actual hours) was the defacement visibly present? Obviously by the time I had posted within this page, you had already created this topic.
The “calf” is obviously a small human child, the fell into the ‘uncovered well’ and drowned by misadventure, rather than a cow… The saying makes a lot more sense now, as the well wasn’t made safe, e.g. covered, or filled will soil – too late.
Fixed two typos: “[…] The “calf” is obviously a small human child, th[at] fell into the ‘uncovered well’ and drowned by misadventure, rather than a cow…” and “[…] filled wi[th] soil …”.
Ah, When the calf has drowned, the well is filled up (i.e., closing the stable door after the horse has bolted). Hmm, “dampened” had me a little confused, I nearly read it like, the carcass had soaked up the water, rather than displacing it LOL. As ‘dampened’ is usually just slightly wet.
When I could not connect to the website for a couple of hours my first thought was that the site was hacked. And then I thought a backup would fix the issue.
I’m guessing that one of your writers must have clicked on a malicious link and revealed a their password.
I noticed this issue early yesterday morning with Brave, Firefox and Edge. This was happening on another PC as well. This was not happening with other sites. So I knew the issue was at your end.
Since I could not get to the site to report it, I went to your Facebook page. There was no option to massage anyone there.
Now what?
I reported it as a comment on the most recent article. I deleted that comment and all the info provided there today.
Why?
There had been no responses from anyone at all in more than 24 hours. This suggests to me that your Facebook page is not very popular.
it was this domain:
ioiubby73b1n .com
I was just updating chrome and then when I went to ghacks I was redirected to a page telling me to update chrome. Of course I immediately suspected the page but I tried to download the update anyway but chrome immediately blocked it. I then used uBo to identify the culprit then ghacks worked fine. But hackers wanting to use a browser that will refuse to download its fake update is really stupid!
I presume it was an external DDoS like attack against the web servers themselves or malvertisement linked via an outside advertisement network.
Rather than an individuals’ workstation (a Softonic employee) that was accidently compromised. Or had their Login credentials stolen prior. For example, via a malicious email, and then the script was somehow unsuspectingly internally uploaded to the gHacks website via their PC.
Same here, but the notice looked fraudulent. So I restarted Chrome and used its inbuilt update function to update. No notices since then. Bitdefender is running live on my system.
Did anyone capture what these update prompts look like.
I got none on my end at all.
Maybe it’s something that Jshelter or something else I have running that blocked it and I just didn’t notice. also could have been based on the work of FanboyNZ and co that I didn’t.
Overall the site has been in bad shape for a while now. I have been considering my options to mirror the articles elsewhere with a more stable comments section but don’t want to harm the work of the very few (you guys know the ones) good writers here and pouch users for a thriving comments section. This site has been around for far too long and has a good history. I just wish it was still independently owned I guess or better managed like it used to be. I doubt anything like this would have happened if it were.
> Did anyone capture what these update prompts look like.
Look here:
[https://malwaretips.com/threads/ghacks-net-website-delivering-malware-via-fake-browser-update-messages.125969/]
@Tom Hawak
Good thinking and you are correct, the Third party connections have increased since the acquisition and only add to create more needless opportunities for attacks such as these. I am not entirely sure where they were deployed from but found it interesting that I was not affected. It could have been only happening for a few hours whilst I was asleep or it could have been blocked as an overlay
Thanks for the link @nicolaasjan
I don’t think that this would have worked on many of us here to actually fall for it regardless but it does present an issue for other non tech users at this point as I can think of quite a few people in my life that would fall for such a trick.
We will have to keep an eye on it as I’m sure they will change the root url soon that is distributing the malware.
@Mystique, as you I haven’t encountered the update prompt security issue.
I don’t know how this issue deployed but a site’s third-party connections may be concerned, as it may not be.
Not sure this sort of thing may have happened in Ghacks’ old days when there was not one 3rd-party connection if I remember correctly. Ever since the site got bought by Softonic connections to 3rd-party sites have increased slowly but surely.
uBlock Origin reports the following connections. I authorize only [www.ghacks.net] (of course!) and pages deploy perfectly well (which is worth being noted when the number of sites deploying correctly without any 3rd-party connections is limited) :
[www.ghacks.net]
[securepubads.g.doubleclick.net]
[connect.facebook.net]
[www.googletagmanager.com]
[www.gstatic.com]
[imasdk.googleapis.com]
[sdk.mrf.io]
[notix.io]
[polyfill.io]
[sdk.privacy-center.org]
[spn-v1.revampcdn.com]
Maybe the culprit is related to one of these connections independently of [www.ghacks.net]. No idea, but what is not needed in the computing arena is never welcomed IMO.
@Tom Hawack
The malicious domain is now blocked by uBlock Origin via EasyList.
As we say in Dutch:
“When the calf has drowned, the well is dampened”
@nicolaasjan, many thanks for all this valuable information (Malware analysis and update prompt screen capture) provided from the security flaw applied to Chrome. Most appreciated.
I hadn’t encountered the malicious update prompt here on Firefox when the flaw was active (2023-09-22) and my uBO lists were those of the morning (I update all lists every morning), but accessed Ghacks with 3rd-party connections all blocked as mentioned above. I also have a dedicated Ghacks filter which blocks all of the site’s scripts except 3 required for proper usage of the site :
! Block scripts but allow @@ exceptions
||ghacks.net^$script
@@||ghacks.net/wp-includes/js/comment-reply.min.js$script,1p
@@||ghacks.net/wp-content/plugins/wp-rocket/assets/js/lazyload/*$script,1p
@@||ghacks.net/wp-includes/js/jquery/*$script,1p
Also, a system-wide blocklist (domain & urls) managed by DNSCrypt-proxy, but that doesn’t handle fraudulent scripts of course.
How did the intrusion make its way, that’s what I always wonder. Must be a script coming from somewhere (the Malware analysis you link to says from where) but via which vector : either via a 3rd-party server connecinf to the source either a specific attack on Ghacks, directly… Forget that, I’m not a specialist, far from. Yet what always puzzles me is how such flaws (independently of DDOS attacks) make their way. In other words how did the source servers mentioned by the malware analysis attack Ghacks, and Ghacks only as far as I know ? …
Side-note : fortunately you translated the Dutch proverb to English given, as for myself, I’ve forgotten most of the little I knew of Dutch sentences, except maybe something like “Ik hou van je mijn lekkere snoepje” :)
@Tom Hawack
> How did the intrusion make its way, that’s what I always wonder.
There are numerous ways e.g. via a vulnerable WordPress plugin.
Then the attacker likely got administrator level access.
(at the time of the attack the source code of the site was riddled with strange things)
[https://hackertarget.com/attacking-wordpress/]
But I’m sure Martin will come with an explanation.
@nicolaasjan
> There are numerous ways e.g. via a vulnerable WordPress plugin.
Vulnerable or fixed and not updated by a site as I understand it. Anyway, a script.
We (I anyway) focus on 3rd-party servers and set uBO accordingly but tend to forget 1st-party and inline scripts (even if uBO filters them as well on the basis of its lists). Something to keep in mind. But I cannot really imagine setting uBO to block 1st-party scripts by default and accord a per-site authorization given 99%+ of the sites need at least their own 1st-party scripts. Maybe I should, which would bring the flavor of ‘NoScript’ to uBO. I’ll think about it.
About WP plugins : I remember having read articles about issues from time to time.
EDITing my above comment :
“Also, a system-wide blocklist (domain & urls) managed by DNSCrypt-proxy, but that doesn’t handle fraudulent scripts of course.”
TO
“Also, a system-wide blocklist (domains & ips) managed by DNSCrypt-proxy, but that doesn’t handle fraudulent scripts of course.”
Of course …
@Tom Hawack
> Maybe the culprit is related to one of these connections independently of [www.ghacks.net].
It was related to a malicious domain (which I shall not mention here), that is currently absent, since gHacks is clean now.
IP address located in Kemerovo, Kemerovo Oblast, Russia…
Malware analysis here:
[https://any.run/report/37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533/ccb78975-4e7b-4171-9afe-85ddcb91a6f5]
I faced this issue via my iphone (Brave browser). Clicking on Ghacks simultaneously opened another site which I closed as it was in the process of opening. I did not download anything. I turned the iphone off. I also deleted the app. Is there anything else I need to do? I am not so tech savy
Checked out the insecure firefox installer via sandboxie. It writes a few registry entries and a startup which then runs the malware package (at least on my end). Be sure to do a full system virus scan or fresh re-install if you ran it.
The only odd issue I’ve encountered on 09-22-2023 was that the RSS Feed and Comments Feed weren’t valid but not sure this is related to the security issue described in this article, though it was the first time I encountered this.
I have not encountered a malicious intermediary page asking to update the browser to continue viewing the content, but I haven’t visited Ghacks at the time as often as I usually do.
I ran into the problem using Firefox, and did not pay any attention to the obvious scam. I then tried using Edge and ran into the exact same problem except that the intermediary asked to update Edge, instead of Firefox. I again ignored it. I then ran a couple of malware scans which both told me that my system is clean.
PS I also ran into this problem several times on another non-IT related site (Baseball Think Factory) and also had no resultant problems on my computer system. Based on my experience, anyway, it appears that there is no harm caused to your computer system long as you are not foolish enough to try to ‘update’ your browser by clicking on any the intermediary site links.
I saw the page in French, which is my preferred language. I found it unusual that a malicious page would have different language versions.
Microsoft Defender under Windows 10 still doesn’t detect the file as malicious on my system, in spite of what is said at https://www.virustotal.com/gui/file/37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533
The phantom page was only appearing in Brave! Didn’t click on anything though.
Then I downloaded FF and Chrome to test and none had the problem. All browsers with UB and set accordingly(as possible), but only Brave would show the page… strange.
It appeared in other browsers randomly, so not a “only Brave” issue. We fixed the ghacks site in shields the moment it was discovered.
Martin,
The comments section of this website have been seriously malfunctioning for weeks. Many people have commented on it and you or no other writer has ever responded that I am aware.
Comment to: https://www.ghacks.net/2023/09/22/notification-of-security-issue/
Indeed. But weirdly enough, the comments section under this very article ONLY displays comments that are about this topic and nothing else. No old comments shown here so far! :)
But I don’t think we can say “problem solved” yet, as one later published article from 2023/09/23 is unfortunately full of old comments :( : https://www.ghacks.net/2023/09/23/mozilla-is-renaming-firefox-accounts-to-mozilla-accounts/
+1 Same threads from log ago stuck randomly into new articles.
Notification of security issue
I came across this, this morning, using Microsoft Edge. I attempted to upgrade the browser, via the ‘inbuilt updater’, but was informed that I was running the latest version. I then tried with Chromium, and again, got the same “you need to update your browser’ notification. I’m very particular about keeping browsers up to date. Anyway, I downloaded the file, presented…thought it was a little on the small side, used my BitDefender security to check it, no problem,..but when I ran the file…BitDefender stopped it from running…and deleted the file. PHEW!
Also the page CSS layout was messed-up this afternoon, if that helps.
Martin, today I noticed both your recent topics and post lists have been strangely “disappearing and reappearing” at random. I don’t mean the ongoing random post issue. However, I’ve had no browser notices as described when submitting.
Sorry for that, we had to restore earlier backups of the site. This should not happen again.