Since this morning strange advertisement is appearing on top of many pages I open in webbrowser (see screenshot at the end). It's happening in any browser (tested FF, IE and Chrome), on any of three machines in our household, even on iPhone (no matter if connected on Wi-Fi or cellular network [not true in the end, see my answer]). Even on Debian system run in VMWare.

Sometimes the ads do not appear in Firefox, but appear in IE. Sometimes they do not appear on iPhone when connected on cellular, but appear when connected on Wi-Fi. But mostly they appear in any case. On some pages the issue corrupts a page rendering.

The advertisement is identical in every case. The same tree banners, except for Amazon banner changing the product. On iPhone the Amazon banner does not load. On some pages the set of ads repeat two or more times.

Some of the pages the problem is happening with:

  • superuser.com (any SE site)
  • instagram.com
  • pinterest.com
  • ask.com (ads appear twice)
  • bbc.com

Not happening on:

  • google.com
  • linkedin.com
  • youtube.com
  • cnn.com
  • microsoft.com

(though the lists can be affected by random component of the problem).

The ads are rendered by HTML code injected just after an opening <body> tag. The code is not present in the HTML itself. But I can see it, when inspecting the page in browser dev tools (e.g. Inspector tool in Firefox), so it's likely generated by some JavaScript. The code is attached at the end of this post. Once the page renders the browser starts connecting to 85.25.138.211.

I do not have any unwanted plugins in the browser(s). Nor I identified any adware/malware on my machine(s). I didn't even expect that, as the problem occurs on iPhone too.

It feels like I got hacked. But I cannot imagine how such hack would work, since it affects different systems (Windows, iOS, Debian). I considered having router hacked, but it also does not seem likely as the issue persist even when I disconnect the iPhone from Wi-Fi. I considered that someone exploited some bug in JavaScript library that all affected pages share. But in that case the issue would be widespread, not just happening to me. But I was not able to find any report of such problem by anyone else [not true in the end, see my answer].

Does anyone have any idea, why this is happening?

enter image description here

<body class="user-page new-topbar" lang=""><div align="center"><a title="wygladzanie zmarszczek" rel="nofollow" href="http://track.impreskin.pl/product/ImpreSkin/?uid=21002&pid=153&bid=1659"><img alt="wygladzanie zmarszczek" src="http://track.impreskin.pl/banner/?uid=21002&pid=153&bid=1659"></img></a></div><div align="center"><iframe width="728" height="90" frameborder="0" style="border:none;" marginwidth="0" border="0" scrolling="no" src="http://rcm-na.amazon-adsystem.com/e/cm?t=hsiang-20&o=1&p=48&l=ur1&category=electronicsrot&f=ifr&linkID=BXR7UA243P4D75JE">#document<html><head></head><body><div id="wrap"><object width="728" height="90" align="middle" codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"><!--Tags used by MSIE Rendering engine --><param value="http://ecx.images-amazon.com/images/G/01/associates/2011/ban…vacyTarget=_top&privacyURL=http://www.amazon.com/gp/dra/info" name="movie"></param><param value="high" name="quality"></param><param value="transparent" name="wmode"></param><param value="#FFFFFF" name="bgcolor"></param><param value="all" name="allowNetworking"></param><param value="always" name="allowScriptAccess"></param><!--Tags used by Mozilla Rendering engine--><embed width="728" height="90" pluginspage="https://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" allowscriptaccess="always" allownetworking="all" bgcolor="#FFFFFF" wmode="transparent" quality="high" src="http://ecx.images-amazon.com/images/G/01/associates/2011/ban…vacyTarget=_top&privacyURL=http://www.amazon.com/gp/dra/info"></embed></object></div><script></script></body></html><!--autogen flash template V 0.1311154052 --></iframe></div><div align="center"><!--default --><div id="ca-block-2228" class="ca-block"></div></div>
share|improve this question

After many tests, I've realized that the problem is happening on cellular network only because of caching. After clearing a cache (Clear History and Website Data) and refreshing, the problem went away. And it reappeared only after connecting back to the Wi-Fi.

This made it obvious that the problem is due to a compromised router, Edimax AR-7265WNB. Resetting the router back to the factory settings and re-configuring fixed the problem.

I did not find newer version of router firmware than the one I have (FwVer:3.10.16.0_TC3085 HwVer:T14.F7_3.0). Though I've found that the firewall on the router was off. Actually the router reset itself few weeks back. When reconfiguring it, I probably forgot to enable the firewall (actually I would expect the firewall to be on by default).

The problem seems world-wide now (other reports here and here, some other were deleted), contrary to my claim in the question. That would suggest remote exploiting of some router vulnerability (supported by firewall issue), rather than local hacking into Wi-Fi. The others report different types of router (D-Link DSL-2600U, TP-Link), so the issue is not specific to the Edimax.

The other reports mention that a DNS or proxy settings was modified. I did not checked this before resetting my router. But it is possible that my router was modified this way, as the firewall was off. Also it explains injecting code in any page without a need for any router-specific exploit. So the attacker possibly scans internet for any unsecured routers and simply configures them to point to attacker's proxy.

share|improve this answer
   
Which router? Had you updated the firmware to the most recent version?– K7AAYOct 26 '14 at 22:31

I noticed about 2 days ago I was getting the exact same ads across multiple devices (laptop, android smartphone and Nexus 7). When I clear all the browser caches and connect to a cellular network the ads stop, but once I connect to the wi-fi they come back.

I ended up switching the DNS server on all of my connections to google's 8.8.8.8 and the ads stopped coming back on every device.

So either the router or the ISP's DNS server is compromised is my best guess.

edit: Same as How can I remove unwanted ads on top of sites?

share|improve this answer
1 
What router are you using?– Martin PrikrylOct 29 '14 at 7:10

You've most likely got some spyware (very easy to accidentally download, but usually fairly easy to remove, if you know what to do).

You will need to download a more powerful unistaller, windows uninstall will not remove it.

Download IOBitUNinstaller. Now you will have to go through every file (on iobit) and identify what program you don't recognise or seem 'fishy', a quick google search (if unsure) will reveal if its malware.

You can also select batch uninstall (top right option on iobit), which can let you select multiple programs to uninstall - and of course, let it do a deep scan and remove everything it finds.

share|improve this answer
1 
Thanks for your answer. Would that explain the issue happening on iPhone and Debian?– Martin PrikrylOct 26 '14 at 21:24
1 
No. If it is happening on your iPhone and Debian system, your router (specifically your router's DNS settings) may have been compromised. Perform a factory reset. And when you set it up again, SET A PASSWORD ON IT so that rogue software on your computer can't automatically reconfigure it.– Jeremy VisserOct 26 '14 at 21:26
   
@JeremyVisser But it's happening even if I disconnect iPhone from Wi-Fi.– Martin PrikrylOct 26 '14 at 21:27
1 
You don't need IOBIT software to remove something like this, the normal ad/remove programs will do exactly what IOBITUninstaller does despite its claims otherwise. IOBIT is snake oil don't trust it.– RamhoundOct 26 '14 at 21:27
   
@MartinPrikryl I not sure how it would have got on your Iphone, except if you're logged in on all devices and using chrome or something. But try the fix above, (also on chrome, install adblock and see if that solves the issue. If not, keep checking that you recognise ALL software on your PC and if still no luck, install and run (free version) of Malwarebytes, between the two, you will hopefully find the issue– gudthingOct 26 '14 at 21:28

protected by Community Dec 3 '14 at 6:42

Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).

Would you like to answer one of these unanswered questions instead?

Not the answer you're looking for? Browse other questions tagged or ask your own question.