I am randomly getting redirected to a page that looks very suspicious, especially the URL that sends the base64 encoded payload. It usually happens when I click a news link, usually a local news site. So I thought the news site was possibly compromised. Recently though, it happened when I clicked on an article on msn.com. So now I think may phone my be the problem. It is a Samsung Galaxy S5, fully updated.
I only copied the URL once, so I am not sure if it changes, but here is the one I captured (DON'T GO TO THIS):
data:text/html;base64,PCFET0NUWVBFIGh0bWw+PGh0bWw+PGhlYWQ+PG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgdXNlci1zY2FsYWJsZT1mYWxzZSwgaW5pdGlhbC1zY2FsZT0xLjAsIG1heGltdW0tc2NhbGU9MS4wIj48L2hlYWQ+PGJvZHk+PGRpdiBpZD0iaWZybSIgc3R5bGU9InBhZGRpbmc6MDsgbWFyZ2luOjA7Ij48aWZyYW1lIHNyYz0iaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3d3dy5hb3RxNGpncXk5bjcxLmluZm8vVVMvd3Bld2VrazMzMDNsa2Vra2sxMWtrLmh0bWwiIHN0eWxlPSJ0b3A6MDsgbGVmdDowOyB3aWR0aDoxMDAlOyBoZWlnaHQ6MTAwJTsgcG9zaXRpb246IGFic29sdXRlOyBib3JkZXI6MCIgc2Nyb2xsaW5nPSJ5ZXMiIGFsbG93RnVsbFNjcmVlbj0ieWVzIj48L2lmcmFtZT48L2Rpdj48L2JvZHk+PC9odG1sPg==
I also captured 3 screenshots of the page:
- The initial popup
- The page behind the popup
- The page behind the popup, scrolled down
The last screenshot is updated in real time with fake posts.
Does anyone know what this is or how to get rid of it?