[Solved] Pernicious redirect when landing on news with Android Chrome

[Milouse]

Hi,
i'm using an RSS reader on my phone (Android) that opens Chrome on the News page when i click a GTP headline.
For a while now, each time i do that, the page opens the rss site (feedproxy, which is ok) that redirects to the GTP page. But at the end of the page loading, my browser is redirected to a fake alert claiming my phone has a virus (screen capture below). That happens (almost) each time (edit: i can't reproduce it on each load, but each time i clicked a news recently, i had it), and only with GTP.
Also, the fact that the GTP url and page content is shown before the redirect leads me to think that the problem could actually be in the page served by GTP or Ad Server.

Edit: i suspect this redirection to use a cookie in order to avoid to trigger too often, like more than once per day.

 

[Epic B]

I've definitely seen these on my phone before. I usually just exit, close the browser and restart it. Not sure what triggers them.

 

[Jordan]

@Milouse, do you see that message even if you visit the site directly in the browser, or only when clicking through the RSS reader?

 

[Milouse]

@Jordan, i don't think it happened on direct access but i rarely access GTP from my phone other than clicking an RSS link.

I found in my browser history the exact last URL that redirected the browser to the bad url:
www.gtplanet.net/the-hunt-for-britains-first-supercar-is-on-community-bounty-hunter-returns-for-forza-motorsport-6/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+gtplanet+%28GTPlanet%29

I didn't found any valuable information in the ressources loaded.

If you don't have a clue of what causes this, i don't see what you can do more than me at this stage. I'll try to catch a redirect in debug mod if i can retain myself from clicking an RSS header before pluging my phone to PC

 

[Yarf]

That is quite unusual to have a redirect on mobile like that on this site, check what apps you may have installed or something

 

[Milouse]

Hi, i didn't forget this matter.
Actually i was patiently waiting in the dark, ready to let the bad redirect reappear. I didn't access GTP news during a week. And on the first news header clicked, the magic thing happened again. But this time, i was recording all network activity (233 query!) on the page:
The page redirect is sent to the browser by a php page asynchronously called by another page (located on rabincom.com), itself called by... a google 300x250 adsense block.

I didn't find specific to this particular redirect, but it looks a lot like the adsense malvertising described a year ago here:
https://blog.sucuri.net/2015/01/adsense-abused-with-malvertising-campaign.html

 

[Jordan]

Thanks very much for the details - I wish all malicious ad reports were so comprehensive!

I have blocked that domain from AdSense, hopefully it will do the trick.

 

[Milouse]

Good idea, i just did the same