[Igor (OP)]

I posted a link in a forum to a legitimate long-established website.
When people click on that link in the forum sometimes they are redirected to a fake anti-virus scam.


redirected to scam  URL.png (59.44 kB . 800x102 - viewed 5016 times)

Where is the hijack occurring ?, in the forum where I posted the link or the legitimate website ?.

(the website is run by computer literate individuals, the forum is run by computer novices) 

[CliffordK]

I am assuming this has happened to several people, and not just to you.

Is this the only link on the BBS that does this?

If many links on the BBS do the same thing, then it would be the BBS.

If this is the only link on the BBS that takes you to the fake site, then it would be specific to the link.

Carefully review the link to the "legit" website to make sure that it is NOT actually a link to a 3^rd party intermediary website.

If the link is correct, then I'd be looking at the "legit" website for problems, and make sure they also run a battery of antivirus/antispyware programs.

I would encourage you to verify that your own antivirus is up to date.  And, also run a battery of antispyware on your computer. 

There are some suggestions here:
http://www.thenakedscientists.com/forum/index.php?topic=38107.0

[Igor (OP)]

I am assuming this has happened to several people, and not just to you.

Yes, apparently only Internet Explorer users.  The redirection is intermittent, approx 1 time in 5, i.e. approximately 4 out of 5 times the link works correctly.

Is this the only link on the BBS that does this?

Don’t know, I have not tried other links on that forum : (I don’t fancy playing any more Russian roulette today).

[CliffordK]

I am assuming this has happened to several people, and not just to you.

Yes, apparently only Internet Explorer users.  The redirection is intermittent, approx 1 time in 5, i.e. approximately 4 out of 5 times the link works correctly.

Interesting observation.

You know, I haven't had a website pop up and tell me that my computer was infected by a virus since I rid myself of all Microsoft Software.

It kind of makes you think what the virus might have been!!!

Actually, I'm now getting a little curious.

Post (or send me a PM)
with all 3 websites.
The BBS where the link is posted.
The intended link.
The place it sends you.

[Igor (OP)]

The BBS where the link is posted.

The forum thread has now been deleted to prevent others falling into the booby trap.

The place it sends you.

Partial URL of the redirect is attached to the first post. It’s a fake antivirus scan scam.
Most of the time the link works correctly rather than being redirected.

Thanks for your interest Clifford. It does seem that it is the (amateur) forum which has been compromised rather than the website I linked to which is run by IT pros.

[RD]

"we recommend you to check your system immediately"

Grammarians would have spotted that was bogus.

[chris]

Old thread, I know, but I chanced upon it and thought I'd revive it because it might prove helpful to someone.

The symptom described above looks like what's called a "watering hole" attack; fraudsters compromise a server and replace existing code or add malicious scripts that are called when some or all of the site webpages care called.

The inserted code adds a handler to the affected pages that can do several things: sometimes it bounces people on to another target - like a product page for something someone is selling - from the original page; another one I have seen tells people that they need a security update for their browser and offers the download link; it looks deceptively like a real chrome update screen; people then click the link in good faith and supply their admin password, running the hacker's executable, which then modifies the client machine and grants the hacker a back door in.

The people who do this are bloody crafty. One attack  saw involved over-writing a single javascript file on an installation with a new version of the file that contained one extra line of script. This grabbed the content that was being inserted into the generated webpages from a third party site, making the affected file that was doing the naughty behaviour much harder to track down.

The moral of the story - lock it or lose it!

 

[nicephotog]

Possibly done by "cookie poisoning" whether javascript called and placed or server side cookies.
(nb: interesting note, there is such a things as a "literal cookie header" but usually requires the server output stream STDOUT to be edited and written into before the head section of an HTML page or the HTML page itself , the rules for it cam be found in one of the IETF RFC's for internet  https://www.ietf.org/standards/rfcs/ )
HOWEVER, free sites or such as forums where the user is a non paying member, some advertising is permissible.
That old adage "nuthins ever free bud" !