Recently Safari has been exhibiting an odd behavior – I'm in the middle of browsing something and suddenly the entire page is redirected to a sponsor.adverstitial.com URL.
In searching online I see mention of people from many different forums begin redirected there, so it seems like a problem not related to websites I am on, but more like malware of some kind.
Does anyone know what is causing this?
Some steps I've taken include:
- I've carefully poured over the process list with
ps -efww
to see if I have any processes I do not recognize. - I've also gone into my startup items to see if anything looks suspicious, just a few items that I know what they are.
- As I said, carefully searched the internet for causes but can find only victims, not solutions.
- Looked into Safari Extensions – I have only ClickToFlash and "Translate" from SideTree.com installed. I tried disabling Translate and will see if it happens again.
For the moment I've taken the precaution of changing the IP for sponsor.adverstitial.com to be just localhost in /etc/hosts so at least my browser does not actually load the site, but the redirect still occurs (just with a blank page). Obviously whatever causes the redirect could be sending out other info, so I'd really like to find the root cause and eradicate it.
Best Answer
I left Charles (web proxy debugger) running and waited for the re-direct again. I found the site that is originating the request to sponsor.adverstitial.com, it is ad.cpmaxads.com.
A request to that site goes out, then it brings back a lot of shady looking javascript/HTML mix with this in the middle:
The request to ad.cpmaxads.com from the web page was:
And the referring page was from Slashdot.org.
I'm pretty sure now this is specifically an advertisement that manages to force the whole page to load a new URL, as you can kind of make out from the Javascript - so at least it's not malware. I'm going to try setting a /etc/hosts entry as follows to block the origin of the offending Javascript:
As it comes from advertising, this probably occurs for any other sites using that advertiser. If people are not comfortable editing /etc/hosts, you could also try installing an ad-blocker, and just blacklisting ad.cpmaxads.com if you didn't want the whole ad-block experience (I don't like how it slows things down and I do want to support sites I like with advertising revenue - as long as ads do not infuriate me be repaving the whole page...)
For those interested in the whole HTML/javascript block that comes back from ad.cpmaxads.com, it is: