40

When I was reading a page on Wikipedia several months ago (December 2014) I saw what looked like a pop-up window from BT, but I soon realized that when I closed the page the pop-up disappeared. I then opened Firebug and inspected the box and saw that it was actually part of the webpage itself and that clicking its confirmation button would take me somewhere I didn't want to go. It was very cleverly disguised to look real.

I've never before seen anything like this. Is this the only case or has this been known to happen? I've provided a screenshot to show what it looked like:

A screenshot I took at the time.

Peter Mortensen
  • 885
  • 5
  • 10
Alexander Kalian
  • 553
  • 4
  • 10
  • 38
    I'm pretty sure wikipedia sanitizes any attempt to embed javascript. You can also check the edit log of the page https://en.wikipedia.org/w/index.php?title=Cicada_3301&action=history -- which leads me to believe you had some malware on your system. – David Zech Aug 13 '15 at 17:42
  • 1
    Yes it is strange. The edit log of wikipedia doesn't have any record of it but I always wondered why malware on my system would choose to show me a devious pop-up embedded into a wikipedia webpage and not just independently on my computer like how any normal pop-up would. The very nature of it suggests it was malware outside my machine but then who knows? I guess malware is devious. – Alexander Kalian Aug 13 '15 at 17:52
  • 3
    Okay it seems Rory is right; it's probably just some aggressive advertising from BT. No malware hopefully. The question still remains if any computer criminal would actually try to infect people like this. – Alexander Kalian Aug 13 '15 at 18:01
  • 19
    What? No. [That sounds insane. I can't believe something like that would happen in this day and age. There is no precedent for putting executable scripts in public webpages that the original server had not intended to serve.](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) – Parthian Shot Aug 13 '15 at 23:01
  • 2
    ...But yeah. Attackers use XSS and MITMing HTTP connections all the time to inject content like that. Maybe not on Wikipedia, specifically, but certainly plenty of other places. Because- and I'm being very generous with this number- 99% of web developers are incompetent, and the 1% who aren't get tired, sometimes. – Parthian Shot Aug 13 '15 at 23:07
  • You raise a fair point. By the end of the day if it were really malware I saw it would merely count as cross site scripting, no matter how weird the prospect of a fake BT pop-up on wikipedia may seem. – Alexander Kalian Aug 13 '15 at 23:08
  • 1
    _why malware on my system would choose to show me a devious pop-up embedded into a wikipedia webpage and not just independently on my computer like how any normal pop-up would._ One possibility that IMO makes sense is: in order to look more legitimate by appearing as part of a well respected website like Wikipedia. Just a guess though. – SantiBailors Aug 14 '15 at 07:56
  • 1
    @ParthianShot _99% of web developers are incompetent_ Way too extreme and unrealistic. You are leaving out the significant amount of web developers who aren't given the chance of doing a proper job by their employers, who normally prefer developers who "deliver" fast over developers who deliver safe. If a developer or tech leader or such delivers web applications that the bad guys don't manage to break, many bosses wouldn't understand what a success that is, because they don't see a sales increase or costs decrease in that. Safety isn't perceived as more money and that's why we don't have it. – SantiBailors Aug 14 '15 at 08:18
  • 3
    ATTENTION AMERICANS: BT is our Comcast. – Alec Teal Aug 16 '15 at 14:57
  • @SantiBailors Well, maybe. But the most common attack vector is SQLi. How long does it take to switch catenation into a prepared statement? 30 seconds? 35? – Parthian Shot Aug 18 '15 at 15:24
  • @ParthianShot Good point on SQL injection (although 30" is unrealistic too) and I agree that the missing use of PSs is usually due to incompetence. But SQLi is only one of many possible attacks and one of the few ones requiring so little effort to reasonably protect from. Also, in a team that don't sanitize input nor use PSs despite knowing the problem (surprisingly common situation) the new guy will often _and understandably_ just go with the flow, instead of pointing out the risk and so being perceived as negative or not-a-doer or lacking a can-do attitude or other such HR rethoric nonsense. – SantiBailors Aug 19 '15 at 08:38
  • @SantiBailors Well, the first time it takes about 5 minutes, I'll admit. Because you'd need to look up the documentation. After that, every subsequent query would take way less time; depending on the number of parameters, I'd clock the additional overhead at about 30 seconds each time. I suppose it also depends on your threshold for "incompetent", and on the sheer lack of knowledge you've run across on the internet. Like, for example, [this guy](http://www.thegeekstuff.com/2009/05/15-advanced-postgresql-commands-with-examples/) who unironically referred to EXPLAIN as "advanced". – Parthian Shot Aug 19 '15 at 18:22

4 Answers4

44

Assuming that you are coming from a BT connection, it's possible that this is part of the BT parental controls program.

There is a discussion of a similar looking pop-up here , which seems to tie into what you're seeing, and also a thread here on the BT site which has a link to a process to turn off that setting.

To test this theory you could log into your account and opt-out of parental controls. I wouldn't advice doing it from any link presented in the pop-up in case it is malicious though.

Once you've done that try accessing the same page to see if the issue re-occurs.

Another way to test it would be to access the site over HTTPS as then they shouldn't be able to inject any content unless they've installed a trusted root certificate in your browser, for which you would have needed to install BT software on the affected system.

As to your original questions about criminals injecting content into legitimate websites, this is a common vector of attack, either via compromise of the website (e.g. through exploitation of outdated software) or via content injected into the site such as adverts (this is common enough to have its own Wikipedia definition "malvertising")

As to whether it could happen to Wikipedia, I'm not aware of that occuring and with Wikipedia being such a well trafficked site, I'd expect it to be a large target.

JDługosz
  • 1,139
  • 2
  • 7
  • 12
Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • 1
    You have been smart to read the content of the pop-up :) –  Aug 13 '15 at 17:59
  • 18
    @begueradj that and I know that BT have a reputation for this kind of behaviour :) – Rory McCune Aug 13 '15 at 18:00
  • 1
    Ah so it's some aggressive advertising from BT. Yes I did use a BT connection and I'm somehow not surprised that they did this. Although it's a lot less likely now, the question still remains if any computer criminal would actually do something like this to mislead someone into getting infected. – Alexander Kalian Aug 13 '15 at 18:04
  • 4
    @Alex: well, if BT believe that it will cause people to install software, who are criminals to disagree? ;-) – Steve Jessop Aug 13 '15 at 19:55
  • 4
    BT definitely inject stuff into http until you make a decision on this. But when you tell them to get lost (even if you want parental censorship tools theirs are rubbish and you have little control over them) it goes away for good. In the mean time installing [https everywhere from the EFF](https://www.eff.org/Https-Everywhere) will suppress the message on many sites, while protecting your data in transit. – Chris H Aug 14 '15 at 09:11
  • 6
    @ChrisH it certainly does not go away for good. I've had this popup come back 4 or 5 times over the last year (and not go away till you remake the choice). It breaks non interactive html fetches. This kind of meddling with people's data is completely unacceptable and technically illegal. Then uk.gov wonder why everyone is turning on encryption. – JamesRyan Aug 14 '15 at 11:40
  • 2
    A bit off-topic but If you're looking for an ISP in the UK that doesn't get up to this kind of nonsense, I'd recommend Andrews and Arnold (I have no affiliation with them beyond being a satisfied customer), they're not necessarily the cheapest but good service and none of this kind of thing. – Rory McCune Aug 14 '15 at 12:26
  • @JamesRyan, that's odd. I've never seen it since I logged in and told them I don't want that rubbish. Having not seen it I can't test, but I'm assuming it's not noscript stopping it at my end, or adblockplus, as we do have a machine with neither and that doesn't show it. – Chris H Aug 14 '15 at 12:43
  • Not just for Parental Controls. Verizon, comcast and other ISPS in the US have been known to inject html at times over their connections, as well as essentially breaking dns by forwarding to their search page. – cde Aug 14 '15 at 18:03
  • AAISP are well worth any extra cost! – Michael Hampton Aug 15 '15 at 18:46
12

Wikipedia and big popular sites are mostly safe, as any security holes are found quickly, usually long before the site gets its momentum.

Smaller blogs/forums which allow user content are more vulnerable. I used to visit a Russian tech blog several years ago, and the posting form allowed some HTML formatting. Someone managed to include JavaScript code from the upvote button into the post (so that everyone opening the post would automatically upvote it) and posted a Black Overlord picture on the main page. The following day the blog was fixed with improved post sanitizing, but hundreds of people have executed the malicious JavaScript code before that happened. Replace the upvote code with an XSS script which steals passwords, and you will see how dangerous it could have been.

If you're forced to use an HTTP proxy to access the web, your provider or employer may inject scripts in about any page. These are usually not malicious, but it can be quite annoying. Also, if your provider gets hacked, you may be exposed to whatever scripts the hackers put in place.

Peter Mortensen
  • 885
  • 5
  • 10
Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
2

I've never before seen anything like this. Is this the only case or has this been known to happen?

The scenario you experienced could be innocuous as highlighted in @RоryMcCune' answer as well as it can be a nefarious attempt/attack. Let me explain this last scenario.

There is one interesting scenario about your question: as @RоryMcCune said, what you witnessed is quite frequent, so an attacker could impersonate that pop-up. I mean, an attacker who succeed to compromise a given website can craft a pop-up similar to that one since it is widespread and trusted.

This impersonation can be used to perform two purposes:

  1. Clickjacking attacks
  2. Drive-by download attacks

The worst aspect of this negative scenario is that drive-by download attacks consist in downloading without your consent a malware (even if spywares and malwares are more used with this method) on your machine/phone. There are two ways this could be triggered: without any interaction, I mean by just visiting a a website, or by requiring the user's interaction via, for instance, clicking to confirm, cancel or exit a pop-up message (as in your case). These attacks exploit vulnerabilities of browsers you use or their plugins.

Did drive-by download attacks happen on some famous websites as you asked? Yes. Let me mention one good example: on 2011, an attack exploited the Java browser plugin to infect thousands of victims who visited Amnesty International's homepage in UK.

Your scenario could also be a clickjacking attack in which the victim is tricked to click on some online content that is intended either for advertisement or, in worst case, to steal sensible/private information from you or even compromise your machine using the drive-by download attack as a complement method. Such attacks target social networks such as Facebook, Twitter (and this is frequent).

2

A mature wiki software like Wikimedia usually does not allow normal users to embed any scripts in wiki articles.

But still, wikis are prime targets for search engine spammers. The structure of wikis is very search-engine friendly which means that wikis often get quite a lot of page rank which in turn exends to any websites linked from them. Also, anything posted to them will live forever in the edit history of the page, even when reverted... if it even gets reverted - there are countless dead wikis on the web which were created, got filled with lots of useful and relevant content, were linked by all kinds of 3rd party websites, got indexed by search engines and were then forgotten by users and admins but never taken offline. Such wikis make great link farms.

As a result any wiki with just a bit of exposure will soon be haunted by bots which post spam to the wiki, either in form of new articles or in form of adding irrelevant links to existing articles.

People who have no ethical problems with using this form of destructive black-hat SEO often have no qualms about spreading malware either, so the websites they try to promote can often be unsafe to visit.

Bottom line: Browsing a spambot-infested wiki is usually safe (though not necessarily useful), but blindly following any offsite links from a wiki is not.

Philipp
  • 49,017
  • 8
  • 127
  • 158