The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Eliminating browser redirects and advertisements

Posted on December 6th, 2012 at 9:53 PM EDT

info

Windows users have been plagued for years by malware and junkware that causes their web browsers to redirect to undesired pages, advertisements to be injected in web pages, changes to the home page and search engine settings and other undesirable behaviors. Unfortunately, this is now spreading into the Mac world. Reports of these kinds of issues are becoming increasingly common, and confused users don’t know how to handle it. (I hear a lot of comments like, “I Googled it, but all the instructions were for Windows users!”) So what is a Mac user supposed to do when faced with such problems?

First, it’s important to understand the root cause of such problems. Most of the time, when being redirected to sites like Findgala, tracking999 or Gossip Center (just to name a few I’ve seen recently), users will try to Google the symptoms and will find multitudes of references to “viruses.” However, these things are rarely caused by malware of any kind in reality. What they typically are, in the Windows world, are junk software installed surreptitiously by some other junk software. For example, it may be a browser toolbar installed by a video game. It could also be adware injected into the installer by an unethical host, such as CNET’s Download.com.

There can also be other causes. Sometimes, free wifi networks will inject code into every site you visit. That code typically inserts advertisements into the pages, and when clicked they generate revenue for whoever is providing that network. The ethics of this behavior tend to be a bit murky… after all, the wifi network must be paid for somehow, and if the choice is between no network at all or one that injects ads, many people are likely to choose the ads. Still, there’s a bit of a dishonest feel to someone furtively changing the code of pages that you’re loading in your web browser!

Other times, sites themselves may be hacked to contain ads that they normally would not contain or to redirect to other sites, domain name servers can be hacked to redirect legit sites to phishing sites, settings of wireless routers can be changed to send you where the hacker wants you to go, etc. It could even possibly be malware, although that is very unlikely on a Mac at the time of this writing.

To solve these sorts of problems, one first needs to isolate the cause. There are three tests that will need to be done:

  1. Test multiple devices on the same network as the affected machine. (These devices need not all be the same. Mac, Windows, iOS, Android, all will work for this test. Just be positive they are actually connected to the same network as the affected device, and are not using some other network, like a cellular data connection!) Do all devices show the same behavior?
  2. Test the affected machine on multiple unrelated networks. (For example, take your computer to a neighborhood coffee shop, library or other location offering free wifi, or try a work machine on your home network or a home machine at work.) Does the problem happen on all networks?
  3. Test multiple web sites on every affected network and device. Do the problems happen only with one or more specific sites?

Your answers to these questions will determine what the possible causes of your problems are. In the table to the left of each paragraph below, a ‘Y’ means that particular question was answered with a “yes,” an ‘N’ means “no” and a question mark (‘?’) means that either answer is applicable.

Q1 ?
Q2 ?
Q3 Y

If you are having problems with only one site, or a small selection of sites, but not with most sites, this often means that the sites in question have been hacked. It is common for hackers to use a variety of techniques to insert malicious code into legitimate web sites. If you answered “yes” to both questions 1 and 2, it’s extremely likely that those sites were hacked. However, if you said “no” to either or both of the other questions, it could also be something else, related to your network or your computer, that is causing symptoms to only appear on specific sites.

Q1 Y
Q2 Y
Q3 ?

If all devices are exhibiting the same behavior, on all networks you have tried, with all web sites, there’s only one reasonable explanation (barring coincidental issues on multiple devices): a large-scale issue with the internet service provider that handles the service for all the networks in question. (If you only see the problem with a few specific web sites, this could still be a cause of the problem, but the problem could also be caused by the sites being hacked, as described in the previous paragraph.) One possibility is that a domain name server (DNS) being used by all those networks has been “poisoned.” Try changing your DNS server settings, as described below in the Domain name server issues section. If that doesn’t work, you need to report the issue to your internet service provider.

Q1 Y
Q2 N
Q3 ?

If all devices have the problem, but only on one specific network, then the problem is related to a problem with that network. This could also be a DNS poisoning issue, which would again be fixed by changing your DNS server settings (see Domain name server issues). However, it could also be an issue with the wireless router managing the network. See Wireless router issues for how to approach that problem. It could also simply be a perfectly normal effect of using a free wireless network. You can complain to the owner of that network, though there are no guarantees that doing so will have positive results.

Q1 N
Q2 Y
Q3 ?

If the problem only affects your Mac, and affects it on all networks you try, then the problem has to be with your Mac itself. The most likely possibility is that you have some kind of junk software installed that is causing the problem (see Adware issues). You could also simply be suffering from modern browsers’ tendency to re-load all pages that were open when you quit (see Last session issues). It’s also possible that the issue is caused by the DNS server settings on your computer, so you can try changing those settings (see Domain name server issues). Very unlikely, though still possible, is that something has screwed up your hosts file settings (see Hosts file issues). Both of the latter would cause redirects only, not ads being injected into legit pages.

Adware issues

If the tests indicate that the problem is isolated to your computer, one increasingly likely possibility is that you have adware installed. To solve these kinds of issues, see my Adware Removal Guide.

Last session issues

Many modern browsers will remember the pages you had open from the “last session” (ie, the last time you had your browser running before quitting the browser). Try turning this feature off. In Safari, open the preferences and click the General icon, then set the “Safari opens with” setting to “A new window.” In Chrome’s preferences, click the Settings link and change the “On startup” option to “Open the New Tab page”. In Firefox’s preferences, click the General icon and set the “When FireFox starts” item to “Show a blank page.”

If your browser was set to use a specific home page, rather than to re-open windows from the last session, then it’s possible that the page you have selected as your home page has been hacked (or contains an ad that has been hacked) to redirect you to another site. Try visiting your home page manually, and if that causes a redirect to occur, the problem is with that site.

Domain name server issues

Domain name servers (DNS) are what map human-readable site names into IP addresses, which are required for connecting to any server on the internet. For example, a DNS lookup will tell your computer that “www.reedcorner.net” is mapped to the IP address 216.92.72.106. However, if a hacker compromises the DNS server being used by your network, he can cause that DNS server to return a different IP address for “www.reedcorner.net,” which would send you to a different site than you should end up on. This is called “DNS poisoning,” and it’s typically caused by phishing attempts by hackers who want to redirect users from financial sites (bank sites, Amazon, PayPal, etc) to malicious sites designed to intercept login credentials.

This can be fixed by changing your DNS server settings, either for your computer or for your entire wireless network (by changing the settings in the wireless router). Rather than using the server provided by your internet service provider, try changing to the OpenDNS DNS servers or the Google DNS servers. (See those links for complete instructions for changing your settings.)

Wireless router issues

If someone has enabled remote administration, meaning that the router settings can be changed from anywhere remotely, and if the router’s password is left at its default setting, it is possible that a hacker anywhere in the world could change those settings for malicious reasons. If this is your home network, try resetting the router to factory defaults and set up your network again from scratch. Make sure NOT to enable remote administration, and change your router’s administrative password to something that nobody will be able to guess. (Note that this is entirely different from the password required to access your wireless network, and should be a different password!) See the manual for your wireless router for instructions.

It is also possible that someone local, with access to your wireless network, may have changed the settings. This is especially likely if you are using an unprotected wireless network (ie, no password is required to join the network) and you have not changed your router settings from their defaults. Again, the fix would be resetting the router and making sure that you change the admin password. However, in such a case, you should also make sure to secure the network itself with WPA2 encryption. A wireless network with no password, or with weak WEP encryption, is not secure, and anyone nearby could be watching exactly what you’re doing online at all times!

Hosts file issues

The hosts file is a file buried in an out-of-sight location that maps certain special domain names to IP addresses. Ordinarily this file should not be modified without a very good reason, but sometimes people do make changes to it for a variety of reasons, such as to block a particular site. Malicious software can also make changes to this file. (The only Mac malware known to do this is QHost, which has not been seen in the wild in a while now.)

To determine if your hosts file has been modified, open the Terminal app (found in /Applications/Utilities) and enter the following command:

more /etc/hosts

After entering that command, press return. This will display the contents of the hosts file. You should see something like this:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost 
fe80::1%lo0     localhost

If your hosts file looks different, you may have a problem. You can fix this, but you will need a copy of TextWrangler. (Do not get the version of TextWrangler that is available in the App Store; download it from the Bare Bones web site! The version in the App Store is limited, due to sandboxing restrictions, and cannot edit the hosts file.) While logged in to an admin account, open TextWrangler, then choose Open File by Name from the File menu. Enter “/etc/hosts” (without the quotes) in the box and click the Open button. The window that opens should show the same thing that the Terminal showed as the contents of the hosts file. Change the file so that it only contains the text shown above. (When you try to edit the file, you will be asked if you want to unlock the hosts file. Click the Unlock button, then finish making the changes. When complete, save the file, and enter your admin password when asked. Then you can close the file, and should restart the computer to make the changes take effect.

Post to Twitter

Tags: , ,


12 Comments

  • Mark Hennon says:

    Terrific article, Thomas!

  • Cate says:

    Agreed! Thank you for sharing this.

  • Someone says:

    What’s the difference between ~/Library/Internet Plug-Ins and /Library/Internet Plug-Ins

  • Kevin says:

    I was having misdirects on a few websites.
    I was the only one in the office having the same problem.
    Took the computer (mac book air) home and didn’t have the problem on the home network.
    The only thing that worked for me was turning off the extensions in Safari. The only extension that was in there, was the recent Java v. 11 update. So, I’m not sure if there’s a problem with that extension?

    • Thomas says:

      If the problem reliably occurs at work, but not at home, the issue is not likely to be with your computer but with something related to the office network. (Why it doesn’t affect co-workers, I’m not sure… perhaps a difference in settings, or perhaps they’re on a different sub-network? Or perhaps it’s specific to certain sites… did you check the behavior of the same sites on other people’s machines?)

      If the problem isn’t happening at work any longer, then it was probably just an issue with hacked sites.

  • Kevin says:

    correct … Flash Player v. 11

  • Maurice Garrett says:

    Mac Mini 10.5.8 ppc
    Hi Thomas I have a problem which has got me beat!
    I dad have macafee viruscan installed some time ago.
    I have now removed it completely , or so I thought .
    I am getting constant reports showing in console which I just can’t shift.
    I must say here that the machine is running a lot slower than usual..

    I have tried using terminal, but it won’t except the commands.
    Things such as viruscan throttling respawn, and image not found, are a couple.
    The processor is constantly working even with all apps closed.
    The only thing I haven,t tried is reinstalling and then uninstall viruscan, but this I,m very reluctant to do as you can imagine.
    Any ideas please. Regards Maurice UK

  • Someone says:

    Edit: in paragraph 5, you say “There are two tests that will need to be done,” and then you describe three tests.

  • Someone says:

    You’re welcome.

  • Someone says:

    Funnily enough, I had never seen that sort of stuff on my wonderful Mac, but now, on my PC, I’m seeing the random ad links – on YOUR website!! Probably the free wifi network I’m using…

  • Hinhan-Ska says:

    This is very direct. Thank you for assisting me in solving this issue.

This post is more than 90 days old and has been locked. No further comments are allowed.

This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.