Targeted malware disguised as site functions: a warning

[Vindekarr]

There's a couple of very malicious ads going around on the Nexus sites at the moment. They're almost perfect copies of the Download button, and placed in the adbox; they appear to contain viruses, and are designed specifically to look like Nexus features and buttons.

 

Examples of text include "Download the manager now" "Download file" and "Download the manager" All are clones of the actual Nexus site buttons, and while I haven't had a chance to scan them, they link to a pretty shady part of the internet. Might want to take action on this; they won't fool a veteran but since they're five times bigger than the actual buttons, I dare say a lot of newbies will probably fall for them.

[JimboUK]

Those ads might not be showing for everyone including staff, it would be worth getting a screenshot of them and any other info you can get.

[Werne]

Likely regional, I disabled adblock and I don't see nothing except Croatian ads and some online SSD storage stuff. Only one penis enlargement ad though, I was pleasantly surprised.

 

I do get the following page popping out in a new tab occasionally when the Skyrim Nexus frontpage opens, link as code in the spoiler.

 

 

http://www.medicaladviceglobal.com/

 

 

No risk of infection in my case though, viewed it on Debian with fallback root partition mounted in read-only mode and user data isolated on isolated partition which wipes itself clean after use, no root access available. Yeah, I'm paranoid.

 

This thread addresses the tab ad stuff, different sites than I ran into though.

[Dark0ne]

I've seen a few of these and I attempt to block them whenever I can.

 

RE: the pop-up, thats definitely not good. I have responded in the other thread.

[Cougarshamn]

I too am having pop-ups suggesting I need to update java, or my browser, that occur only at this site. part of that is probably that this is one of the few sites I disable adblock at.

[TheBlank31]

I am also having trouble viewng this website without invasive pop up ads and intrusion attempts (some blocked, some successful). I just had to resort to a full reformat due to viruses filling my java installation. I only complete my re-installation today, and upon viewing this site, NOD32 immediately started alerting me to the same links being blocked all over again.

 

This is what NOD32 is blocking (it's blocked 3 more since I started writing this post):

 

2/19/2014 5:55:50 PM h ttp://cdn.adnxs.com/p/ec/80/f7/c8/ec80f7c84d6f1562fd01be590935b738.swf?clickTag=h ttp://nym1.ib.adnxs.com/click?AAAAAAAAAAAAAAAAAAAAAB1aZDvfT-E_AAAAAAAAAAAAAAAAAAAAAMbJOH7wr1dtK4RS2HO81R9oNgVTAAAAAD4UIQDOAgAAdgIAAAIAAACW86wACVcFAAAAAQBVU0QAVVNEACwB-gDBbAAAIaUAAQUCAQIAAIwA4Bbi2QAAAAA./cnd=!LwaXPAjwrb0BEJbnswUYia4VIAI./referrer=nexusmods.com/clickenc=h ttp://www.onlineapplicationsdownloads.com/flv-player/adbr/mara/?chnl=adbr_2167870&SSPDATA=nym1CKuIysK9ju_qHxACGMaT4_GH_uurbSIMNjguODEuNDIuMTg2KAEw6OyUmAU. Blocked by PUA blacklist C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

Please do something about this. I'm about to run another virus scan to see if anything has made it onto my system... again.

 

EDIT: I broke the link just in case someone clicked on it.

Edited February 19, 2014 by TheBlank31

[Elaura]

This is still happening. I got it by pressing the right arrow key while looking at the pictures for either Epic Elves or Beautiful Elves (Skyrim). I can't remember which. I've gotten this "warning" before but I wasn't paying attention to what I was doing and shut down immediately thinking it was malware on my computer. I did a scan and it wasn't on my box.

 

I got the "this site needs Java, you should update" version. On IE 11, it isn't just a pop-up, it took over the page completely.

[KingShrykull]

I've been getting the same "Update Java" problem mentioned by Elaura since last night. It's preventing me from using the site completely, as it pops up the moment I visit the home page!!

 

I'm not sure what's doing this, since I have pop-up blockers enabled. Luckily AVG has been protecting me from the "JS/FakeCodec" threat that appears, but I basically can't use Skyrim Nexus until this is solved (I'm not sure which side this problem is happening on, so I don't want to jump to conclusions).

 

Edit: I'm using Internet Explorer 11, but I also tried this on Firefox as well. The only difference being that I don't get a "JS/FakeCodec" warning on Firefox. It just goes straight to the Java "Update" page. >_>

Edited August 17, 2014 by KingShrykull

[Zerinth]

I've been getting the same "Update Java" problem mentioned by Elaura since last night. It's preventing me from using the site completely, as it pops up the moment I visit the home page!!

 

I'm not sure what's doing this, since I have pop-up blockers enabled. Luckily AVG has been protecting me from the "JS/FakeCodec" threat that appears, but I basically can't use Skyrim Nexus until this is solved (I'm not sure which side this problem is happening on, so I don't want to jump to conclusions).

 

Edit: I'm using Internet Explorer 11, but I also tried this on Firefox as well. The only difference being that I don't get a "JS/FakeCodec" warning on Firefox. It just goes straight to the Java "Update" page. >_>

 

Also getting this. Im using Chrome.. I get redirects to a fake java update page. I have done a Norton av scan, Malwarebytes scan, and HitmanPro antimalware scan. All found nothing. But would they find it if it was in a skyrim mod i downloaded? Anyway here is some pics

 

http://i288.photobucket.com/albums/ll185/SurfDude_2008/virusonnexusmods1.png

 

http://i288.photobucket.com/albums/ll185/SurfDude_2008/javadodgytest.png

 

Notice the download Java url there ^^^^^^^^^^^^^^^^

 

 

 

i already have the latest Java i think verified on their home page

 

http://i288.photobucket.com/albums/ll185/SurfDude_2008/javachecktest.png

Edited August 17, 2014 by Zerinth

[Thandal]

This malware is not being delivered by the Nexus, but the ADVERTISEMENT (and link) for it is being placed on our sites by a 3rd-party that handles the adverts on the Nexus. Dark0ne has already contacted them to terminate the relationship and is engaging a different firm for this purpose.