window.opener) and prevents you from pressing Back to resume reading that site.
In one case I managed to catch how this rude interruption of an apparently calm website was being done, and it's not pretty.
The original page was written by a hobbyist about programming a certain old computer (certainly nothing to suggest malicious advertising deals), so I was expecting to uncover a case of the original site's server having been compromised i.e. broken into, and I planned to alert the hobbyist's ISP once I'd figured out some details about this break-in.
The Motigo script created several
divs with id
"motigoAdtagPopunder". The term "pop-under" is used in Web advertising to refer to opening a new browser window underneath the present one, the idea being that the user will find it later and not know where it came from. It doesn't work so well if your foreground window is small enough for you to see what's happening behind, but they assume people browse maximised. That seems sneaky enough already, but on Android these tabs were popping up over the site (not under it) and, as mentioned above, sometimes replacing the site as well---probably not what any webmaster would want unless they're in it purely for advertising revenue (which wasn't the case here, because they were being given only statistics in exchange for this madness), and arguably also in breach of Motigo's own contract if the phrase "advertise on your website" means on it---not under it or over it or replacing it, but on it, like traditional magazine advertising next to an article---but their lawyers will probably say "on" somehow means "using" here.
divs contained scripts from
mirando.defetching 302-redirects from an nginx server that inspects the browser's User-Agent string (Lynx wasn't redirected unless run with
-useragent); the eventual page had an
iframewith source on
AdNetworkPerformance.com(which had no homepage and cloaked their
kuaptrk.com(registered to Mundo Media Ltd of Canada), and from there to an
ads.diamonds(one of the newer TLDs) who had again cloaked their
whois, this time by using a proxy company in Hong Kong.
history of the "pop-under" window (in case the user tried to use Back to
close the tab on Android?) before loading another page---a different one
every time---that refreshed to
trackmedia101.com (again cloaked via
HK) which eventually redirected to one of several places, e.g.:
browser.tracksafe.org(cloaked via Panama; their
www.site displayed a "domain parked" message, while accessing
browser.at top level redirected to a random 'get-rich-quick' scheme or "install our extension" or whatever); the 'TrackSafe' URL provided to Android refreshed to
tracking.imagineads.mobi(again whois-cloaked, displaying a "domain parked" message from their www server but redirecting to a random site from
tracking.); on Android this refreshed to
tracking.applift.com(a "mobile user acquisition platform" registered in Berlin, telling application owners they can get more users to install their programs), and this refreshed to
app.appsflyer.com(which said it can "attribute every install to the right campaign or media source", which is false if they have no way to count how many people declined after accidentally following an install link), and this 302-redirected to a
market://URL to offer to install a shopping program called "Wish" programmed by ContextLogic Inc of San Francisco (who also owned
trackmedia101.com(when given a different URL by
ads.diamonds) redirected to a page on
trck.mysuperapps.online(note the missing
viralapps.clubto advertise applications that are "trending" (or at least that the company would like to be trending);
mobileplay.mewhich redirected to
billyaffcontent.comwhich redirected to
trackmedia101.comto a page on
trk.tracksys55.com(registered to AdXperience in France) which then went to
control.kochava.com(an "analytics platform" for advertisers), which redirected to the Google Play page for Audible's audiobooks application (did they know what kind of advertising 'ecosystem' they were signing up to?);
forcati.com(cloaked whois) which served truncated video-playing code or redirected to fake competition prizes;
global.msmtrakk18a.comwhich redirected to another
app.appsflyer.compage and a
market://URL for a taxi-ordering program;
apk, and some sites that didn't load at all.
wsjpnxdm8u.topregistered to a certain Lei Gao in Ningyang, Shandong and hosted on Amazon. This server was returning 404s to all other URLs. Another, similar message ("corrupted with virus and battery has been damaged") was served from
inbox-msg-cg000.gdn(falsely claiming to be Google; actually hosted on Amazon and registered to a company in Bangkok); this site contained code to activate the phone's vibration (as did some of the fake "you have won" sites), and falsely threatens the user with "permanent lockdown" unless they install "Turbo Cleaner" from Google Play, an application which, as far as I could tell from its
.classfiles, didn't seem to do anything useful, but presumably they were hoping its in-app advertisements might get them more revenue than they were spending to spread it. And I didn't see that they'd compromised any ordinary web servers to do this, although we can't rule out the possibility that they found a way to bypass billing on the advertising network, since advertising money spent for the sole purpose of raising other advertising money does seem a bit wasteful if they don't have a particularly effective 'multiplier' in the middle.
I am most certainly not going to recommend that original webmaster's site to anyone, because I cannot in good conscience recommend a site that has become associated with so much intrusive false advertising. I'm not even sure I'd want to recommend a different site that happens to include that site in a "links" section. (I did attempt to contact the webmaster about this, but the email address they listed was no longer valid.)
It would be a pity if an otherwise good resource were tainted in this way by being hosted on a server that's paid for by aggressive advertising, but it's doubly a pity that all this was because the original webmaster signed up to a mere statistics service that doesn't even pay his hosting bills. He wanted statistics about his readers, but at this rate he won't have any readers, because they'll be taken out of his site and put off from returning as soon as they try to tap one of his links. If you ran a library or bookshop, would you accept someone's offer to count your visitors if they reserved the right to grab said visitors by the scruff of the neck and drag them off to unsavoury places the moment they started to look at any of your items?
Host:header, which covers only sites that don't yet use HTTPS; to go beyond that the router would have to interfere with DNS lookups, or block IPs (which change).
Based on the above experience I'd certainly suggest blocking
trackmedia101.com if not the others.
taboola.comso I'd suggest blocking those four also (they weren't all responsible, but as a consumer I'd sooner 'overblock' than check specifically which one it was---which shows that browser-commandeering advertising is bad not only for the site it appears on and the advertising network that carries it, but also for any other advertising networks used by the same sites).
doubleverify.com(ironically claiming to be in the business of "brand safety" but perhaps they were tricked),
reactrjs.com(not to be confused with ReactJS),
quantserve.com(supposedly just an analytics site, but as shown above I no longer trust such claims) and
scorecardresearch.comso I suggest summarily blocking those as well. But some of them are HTTPS sites, meaning you'd need a router that lets you change the DHCP DNS server (I was not able to prevent browser takeover by simply blocking this set of sites on an off-the-shelf router).
apt-get install tinyproxyon a Raspberry Pi (with a static IP), set
/etc/tinyproxy.confto a file containing the domains you want to block (restart or send
SIGHUPto make it re-read this file), and set this IP and port 8888 in the Advanced options of your home Wi-Fi network on the Android device (long tap on the connection, select "Modify network" and enable the advanced options). Remember to use
iptablesor other access controls if you've set your router to send ``DMZ'' traffic to the Raspberry Pi. If tinyproxy sometimes gets "stuck", you could
/etc/init.d/tinyproxy restartor try something else like
ngx_http_proxy_connect_module(likely to require compiling from source).
This proxy approach has the disadvantage of requiring a settings change on each device that uses your network, but it does mean you can block HTTPS sites at the domain level (tinyproxy detects the browser's
CONNECT request and denies it).