Sites being redirected to 'Competition' Page

Hi, just started using Cloudflare and already worried.

Browsing the web on my home network and was on independent.co.uk when all of a sudden I was redirected to a site claiming to be Microsoft saying I could win big prizes… URL is this:

http://microsoft.com-m4-nl-pat1.hoge-kwaliteit-gadgets.trade/winip7nl_win.html?isp=Cloudflare%20inc.&model=Desktop&162.158.111.239&cep=GGzaCxLeodg-az7_q_8NxRHKzvhk4sXHeCIL-qA1p-OL3RSY4aT1P_wUChlRCtG_i9bK3EP0QQFuxHGA9oN9deuiqY7zYllmHptKwyyXupWnmdzi48XBhWp_BdZyDFKGmDjBV2lhWCX5bcK5a7pRMsTCBBB82_WU9X_kGYKJKg6tByCGXktJVgwHaO7MsOP8yhONSpjeOm2ukGgiFePJvQb29AbI9T3XN8SsfVFLswi25OTt4pjStT6zVjAlfWgFUxt4oUwAUHcJkmpkrR0CvrDO-a5QX-n089pxz3pjFbE&siteid=beachfront_&sitedomain=independent.co.uk&page=&source=371&pub=beachfront_10615#b

What’s worrying is the page had loaded and then it suddenly redirected to this page.

Is this DNS service safe? Never had this issue when using OpenDNS or Google DNS.

This is a question regarding 1.1.1.1, not a domain you are serving via Cloudflare, right?

Can you reproduce that issue? On which page did it happen?

Yes this is concerning the consumer 1.1.1.1 DNS service - I have it set up using IPv4 and IPv6 on my Netgear router at home.

I’m not hosting anything, just using it as my preferred DNS service at home.

It’s happened a few times, just now I captured the URL… I can’t reproduce it but grabbed the URL from my browser when it just happened a few minutes ago.

The site I was on was https://www.independent.co.uk - it had loaded and I was reading the headlines when all of a sudden the page was redirected to the URL above. You can see it contains lots of information about the fact I’m using Cloudflare, knows I’m on a desktop and has the original URL contained also.

This really is concerning me…

I am pretty confident this is not Cloudflare related, but its difficult to impossible to say without being able to reproduce it. I’d first run some malware scanner to rule out any local issues. I’d also check the browser for any extensions that shouldnt be there.

I’m on a clean install of Mojave with no extensions… it was literally installed yesterday so there’s nothing on it at all.

What makes you so certain it’s not Cloudflare related? It’s never, ever happened before and I started using Cloudflare about 2 days ago and this is about the 3rd time it’s happened - twice on my MacBook Pro and just now on my iMac.

Cloudflare is also referenced in the URL I was redirected to.

Would like to note independent has an ads.txt https://www.independent.co.uk/ads.txt

My guess is that a rogue ad was on the page that used the ad space to redirect to one of these fake microsoft domains. Fake windows/apple/etc alerts and scams is a huge market, and most of the time it’s done via google’s own adwords service.

The file above should mean only trusted ads run on their pages, but sometimes even bad ads can be served via these providers.

It’s probably not a Cloudflare issue, you probably just happened to be lucky enough to get one of these scam ads that redirected you to the scam page.

I am not certain, I am pretty confident :wink:

This is not something a DNS provider would usually have control over, unless they hijack an entire domain which I’d be once again pretty confident we could rule out in this case.

Again, if you can reproduce it it would be easy to check where that originates from. In this case it is pretty difficult though. Even though I would have ruled out it originated from the Independent I guess @Judge made a good point here.

Thanks for the explanation. I’m wondering why this has never happened before… I’ll stay away from that site for a while and see if it happens again on another site.

Makes sense to me… so it would seem Independent is hosting some dodgy adverts… I will remove them from my favourites.

Again, without being able to tell what exactly is going on I would not blame them either.

Best advice in this context probably, install an ad-blocker

This topic was automatically closed after 14 days. New replies are no longer allowed.