So I was reading the news on my iPhone with visiting "Politifact", these gems showed up: Surprised, I tried it a second time and got it again. But it would not replicate a third time. So I smiled when went home. At home, I grinned to see this show up on a MacOS 10.13: Clearing the cache on the iPhone got the images on the iPhone that I made snapshots. Late, I went to Politifact facebook page and left a message with the screen shots. I suspect their revenue, ad generator was hacked. Regardless, I also share it with Apple so they can ignore it too. For fun, I did a: whois "subappbesttelephone.site" Other Domains exist on the IP 2400:cb00:2048:1::681b:86b6 Website SFW Subappbesttelephone.site Affiliatedtm.com Enmistresskvinder.xyz Portable-anniegroup.tech Avalulri.ru Beaconhealthoptoins.com I am amused. Bob Wilson
At least it didn't tell you "iPhone user, you won a $500 Walmart gift card". Posted via the PriusChat mobile app.
No, this is not related to KRACK. I've seen these on various Android phones. Posted via the PriusChat mobile app.
This is one reason I still do most of my activity on a non-mobile device, with a browser that lets me turn off popups and advertising. Win10's Edge browser is completely unusable to me. It was hit was similar scams in less than one minute after first being opened the same day I set up this machine. Queries to Cortana that open up results in Edge are similarly hit within seconds. I'm being gypped! All the Walmart / Home Depot / Lowes / Costco / Sams Club / Amazon / Ebay / Walgreens / CVS /Target / Chase gift cards in the Quarantine folder of my legacy email are just $50, except for a rare $75. How did you qualify for more valuable scams?
There are Android browsers that have pop-up blockers. The Samsung browser works well on non-Samsung devices. Posted via the PriusChat mobile app.
On the iPhone there is s pop up block setting under Settings ->Safari. No additional software needed. I think it is on by default.
The pop-up blocker is on but it looks like Politifact may be generating their own advertisement, pop-ups. Bob Wilson
Well the mystery popup showed up again and I was able to get a screen shot with: go.pushnative.com/ck.php? .... nslookup go.pushnative.com Server: 69.1.30.42 Address: 69.1.30.42#53 Non-authoritative answer: Name: go.pushnative.com Address: 188.42.162.170 Name: go.pushnative.com Address: 188.42.162.211 Name: go.pushnative.com Address: 188.42.162.146 Name: go.pushnative.com Address: 88.85.82.156 Name: go.pushnative.com Address: 188.42.162.246 traceroute -m 20 188.42.162.211 traceroute to 188.42.162.211 (188.42.162.211), 20 hops max, 52 byte packets 1 192.168.0.1 (192.168.0.1) 2.105 ms 1.099 ms 1.119 ms 2 24.214.48.1 (24.214.48.1) 12.108 ms 11.678 ms 9.040 ms 3 static-69-73-0-29.knology.net (69.73.0.29) 11.439 ms 10.444 ms 9.546 ms 4 user-24-96-153-141.knology.net (24.96.153.141) 9.945 ms 10.492 ms 10.293 ms 5 user-24-96-153-73.knology.net (24.96.153.73) 32.334 ms 28.955 ms user-24-96-2-4.knology.net (24.96.2.4) 10.231 ms 6 dynamic-76-73-195-237.knology.net (76.73.195.237) 27.608 ms dynamic-75-76-35-14.knology.net (75.76.35.14) 28.408 ms dynamic-76-73-195-237.knology.net (76.73.195.237) 26.377 ms 7 dynamic-75-76-35-11.knology.net (75.76.35.11) 28.254 ms 76-73-165-85.knology.net (76.73.165.85) 40.570 ms dynamic-75-76-35-11.knology.net (75.76.35.11) 30.308 ms 8 dynamic-75-76-35-2.knology.net (75.76.35.2) 39.873 ms 37.399 ms 38.526 ms 9 dynamic-75-76-35-2.knology.net (75.76.35.2) 32.307 ms 31.152 ms xe-11-1-0.edge2.chicago2.level3.net (4.53.74.117) 38.528 ms 10 xe-11-1-0.edge2.chicago2.level3.net (4.53.74.117) 32.275 ms ip-transit.ear4.amsterdam1.level3.net (212.72.41.106) 126.463 ms ip-transit.ear4.amsterdam1.level3.net (212.72.41.102) 122.403 ms 11 ip-transit.ear4.amsterdam1.level3.net (212.72.41.118) 115.824 ms * ip-transit.ear4.amsterdam1.level3.net (212.72.41.106) 122.925 ms I wonder if the far side of 'ip-transit.ear4.amsterdam1.level3.net' is Eastern Europe or Russia. Bob Wilson
Cool! I've got the iPhone web site: ASCII art! nslookup mytechiebestdevwebs.site Server: 69.1.30.42 Address: 69.1.30.42#53 Non-authoritative answer: Name: mytechiebestdevwebs.site Address: 104.28.10.157 Name: mytechiebestdevwebs.site Address: 104.28.11.157 traceroute 104.28.10.157 traceroute to 104.28.10.157 (104.28.10.157), 64 hops max, 52 byte packets 1 192.168.0.1 (192.168.0.1) 5.506 ms 3.421 ms 3.358 ms 2 24.214.48.1 (24.214.48.1) 8.805 ms 6.737 ms 10.519 ms 3 static-69-73-0-29.knology.net (69.73.0.29) 12.670 ms 13.395 ms 11.246 ms 4 user-24-96-153-141.knology.net (24.96.153.141) 9.920 ms 12.596 ms 10.861 ms 5 user-24-96-2-4.knology.net (24.96.2.4) 11.088 ms 11.470 ms user-24-96-153-133.knology.net (24.96.153.133) 18.311 ms 6 static-216-186-189-254.knology.net (216.186.189.254) 17.511 ms 17.488 ms 17.262 ms 7 dynamic-75-76-35-117.knology.net (75.76.35.117) 19.838 ms dynamic-75-76-35-112.knology.net (75.76.35.112) 17.753 ms 18.561 ms 8 dynamic-75-76-35-115.knology.net (75.76.35.115) 17.933 ms user-75-76-127-174.knology.net (75.76.127.174) 19.310 ms dynamic-75-76-35-115.knology.net (75.76.35.115) 19.063 ms 9 198.32.132.136 (198.32.132.136) 18.925 ms 18.985 ms 18.305 ms 10 104.28.10.157 (104.28.10.157) 17.271 ms 17.611 ms 18.455 ms $ traceroute 104.28.11.157 traceroute to 104.28.11.157 (104.28.11.157), 64 hops max, 52 byte packets 1 192.168.0.1 (192.168.0.1) 2.334 ms 1.015 ms 0.911 ms 2 24.214.48.1 (24.214.48.1) 11.681 ms 8.965 ms 9.448 ms 3 static-69-73-0-29.knology.net (69.73.0.29) 6.080 ms 22.186 ms 7.214 ms 4 user-24-96-153-141.knology.net (24.96.153.141) 11.826 ms 10.892 ms 13.404 ms 5 user-24-96-153-133.knology.net (24.96.153.133) 8.043 ms user-24-96-2-4.knology.net (24.96.2.4) 11.642 ms user-24-96-153-133.knology.net (24.96.153.133) 14.828 ms 6 static-216-186-189-254.knology.net (216.186.189.254) 27.859 ms 27.173 ms 19.945 ms 7 dynamic-75-76-35-117.knology.net (75.76.35.117) 20.606 ms 20.784 ms 17.890 ms 8 user-75-76-127-174.knology.net (75.76.127.174) 22.129 ms dynamic-75-76-35-115.knology.net (75.76.35.115) 27.149 ms user-75-76-127-174.knology.net (75.76.127.174) 19.988 ms 9 198.32.132.136 (198.32.132.136) 21.208 ms 19.189 ms 25.844 ms 10 104.28.11.157 (104.28.11.157) 21.675 ms 19.061 ms 18.852 ms NetRange: 104.16.0.0 - 104.31.255.255 CIDR: 104.16.0.0/12 NetName: CLOUDFLARENET NetHandle: NET-104-16-0-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Assignment OriginAS: AS13335 Organization: Cloudflare, Inc. (CLOUD14) RegDate: 2014-03-28 Updated: 2017-02-17 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse Ref: https://whois.arin.net/rest/net/NET-104-16-0-0-1 Humm, USA based? Bob Wilson
I block more than popups. On my PC, Firefox add-ons are also blocking most advertising (numerous readers here have previously and repeatedly been served up with malware riding within advertisements) and all non-essential partner sites that provide additional page content to the whole website industry. The latter seem to be a major part of the Big Data / Databroker industry that tracks, profiles, and pigeonholes every web user or consumer or homo sapiens they can find. But the last time I checked (admittedly not recently), the Android revision of FF's toolset gave me far less control. I'm still a relative neophyte at this, and know that I cannot hide from them without far more expertise. But the less personal and consumer and political information they can get, the better.
Speculation on my part, I wonder if this is a failing 'ransomware' effort? Now it gets to be fun. I've exported the malware URL: mytechiebestdevwebs.site (Without the payload, the URL delivers ASCII art.) The payload is ordinary 'command line' input: 36caad8a-3790-4fc7-abf7-6cec47e29b6f/308fdf5c-c4e6-4fcd-a6f3-31b7833a4aa4/?contype=CABLE&device=MOBILE&osversion=IOS%2011.0&os=IOS&browser=Mobile%20Safari&lang=&isp=Wideopenwest%20Finance%20Llc&country=US&city=Huntsville&useragent=Mozilla%2F5.0%20%28iPhone%3B%20CPU%20iPhone%20OS%2011_0_3%20like%20Mac%20OS%20X%29%20AppleWebKit%2F604.1.38%20%28KHTML%2C%20like%20Gecko%29%20Version%2F11.0%20Mobile%2F15A432%20Safari%2F604.1&ip=216.186.138.42&brand=Apple&model=iPhone&var1=1387806&var2=&var3=&var4=&var5=&var6=&var7=&var8=&var9=&var10=&var11=&var12=&var13=&var14=&var15=&var17=&var18=&var19=&var20=&cmid=44011b9e-1644-41fb-90c3-7cc65db63586&lanid=8832afa7-d19c-4cec-982f-031d2ca39018&voluumdata=deprecated&eda=deprecated&cep=laCvTHy8fold2dQpHynCSTA5npzh8GHGXeD4jMSB_I-JK5EvVJIsI8FPUFfyEPS4u2d49FEOmvKU2MjAT2IPd4o96GMCzCS0OujvcBtw91vi6sm-sg88MnYfoawTYTDmUvoouUxHpDK6BpxVD4ay4QqzgEvQ0hIRyiXWLhqdeIKKzoHvXGS3O7aztn0PrpTOdt_k20fVh3KA-3DcKpzRamKAPKNObqI00L4-aJjQJjI&siteid=1387806&subid=385928352272 Spreading out the payload arguments in a more human friendly form: ?contype=CABLE& device=MOBILE& osversion=IOS 11.0& os=IOS& browser=Mobile Safari& lang=& isp=Wideopenwest Finance Llc& country=US& city=Huntsville& useragent=Mozilla/5.0 (iPhone; CPU iPhone OS 11_0_3 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A432 Safari/604.1& ip=216.186.138.42& brand=Apple& model=iPhone& var1=1387806& var2=& var3=&var4=&var5=&var6=&var7=&var8=&var9=&var10=&var11=& var12=&var13=&var14=&var15=&var17=&var18=&var19=&var20=& cmid=44011b9e-1644-41fb-90c3-7cc65db63586& lanid=8832afa7-d19c-4cec-982f-031d2ca39018& voluumdata=deprecated& eda=deprecated& cep=laCvTHy8fold2dQpHynCSTA5npzh8GHGXeD4jMSB_I-JK5EvVJIsI8FPUFfyEPS4u2d49FEOmvKU2MjAT2IPd4o96GMCzCS0OujvcBtw91vi6sm-sg88MnYfoawTYTDmUvoouUxHpDK6BpxVD4ay4QqzgEvQ0hIRyiXWLhqdeIKKzoHvXGS3O7aztn0PrpTOdt_k20fVh3KA-3DcKpzRamKAPKNObqI00L4-aJjQJjI& siteid=1387806& subid=385928352272
Strange 'facebook' response: Somehow I don't understand how a technical posting about a potential compromised web site is considered a violation of "Community Standards." It sure has me scratching my head. Bob Wilson
If so, I haven't found it. So I sent private messages to a pair of my computer/network literate friends, a cousin and former co-worker. They were the primary folks I wanted to share the 'heads up' with as the rest of my clan are 'not so technical.' What pisses me off is I kinda liked hunting down the trojan. In years past, I would pursue SPAMMERs back to their source and try to get them shutdown. I'm still thinking about putting a firewall block on the "go.pushnative.com" IP addresses and then 'teasing' them. Bob Wilson
Turns out Google has a page for reporting malware web sites. After filing my report, they identified http://www.stopbadware.org and searching their database shows "pushnative.com" is on their list. I am pleased, Bob Wilson
