Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

joe53

2 Intern

 • 

5.8K Posts

 • 

17.3K Points

1176

May 28th, 2017 11:00

news.google hacked?

For the second weekend in a row, I'm noticing that news.google.com has multiple news items under the Health section that redirect me to a shop.medcom(dot)top website, that MBAM is blocking as Malicious. This is not specific to any browser. The items purport to be from Utah Political Capitol, a legitimate news website (last week it was a different Canadian news site, also legit).

News.google is obviously tailored to my geographic location, as it delivers local news stories. Just wondering if others are also seeing this.

ky331

5 Journeyman

 • 

15.6K Posts

 • 

45K Points

May 28th, 2017 12:00

Confirming that if I attempt to access shop.medcom(dot)top , it is being blocked my MBAM's malicious website protection.

I had an experience several weeks ago, when MBAM was repeatedly blocking legitimate sites that tried, in part, to access img.ed4(dot)net .   I believe the explanation then was that images displayed under this overall URL  could be good or bad (malicious)... so MBAM made the preventative/cautious decision of blocking them all [i.e., even the good ones].   Since I trusted the particular sites that sent me there, I gambled that I could risk telling MBAM to ignore it.   Given that sites can be hacked with drive-by malware, I realize this decision may come back to haunt me some day.  But to the best of my knowledge, nothing bad has happened to me... so far. 

joe53

2 Intern

 • 

5.8K Posts

 • 

17.3K Points

May 28th, 2017 14:00

Thanks ky.

I wasn't so much interested in the website I was re-directed to. It appears that the ".top" domain is mostly used by Chinese advertisors. But I can't recall news.google items re-directing from legit websites before, and I've been monitoring this news portal for a couple of years.

As the screenshot below shows, the title and underlying garbled English text is a clue that all is not well with the link:

ky331

5 Journeyman

 • 

15.6K Posts

 • 

45K Points

May 28th, 2017 14:00

I'll also mention one other possibility:

A few years ago, I "discovered" that HTTP version 1.1 allows multiple distinct websites to share a single IP-Address!   That's because IPv4 doesn't offer enough combinations to adequately separate all possible websites.   So, as a phony example, you(dot)me and me(dot)you might both resolve to the same 4 "digit" IP address

  • .   As a consequence, if MBAM [or any other anti-malware detector] uses IP-Address-based filtering, and if any ONE of the websites that share an IP-Address needs to be blocked, then ALL of them get blocked in the process.   I encountered this under avast, when trying to access a legitimate charitable foundation which unfortunately had its IP address resolve into one shared by a blocked PayPal phishing site.   I reported this to avast, which was then able to modify their detection mechanism to focus on the actual URL rather than the (common) IP-address.

  • What happens in this case is that when the common IP address receives a request to access the shared value, each website sends additional tags/header information to distinguish it from the co-requesters, so that you are sent to the correct (sub-)site... unless the entire IP-address is blocked.

Was this post helpful?

View All

0 events found

No Events found!

Top