

Tell HN: DNS hacked? Redirected to forward.rewardfinds.com? - anonymouslambda

This problem popped up for me about a week ago. Requests to retail websites would be redirected to forward.rewardfinds.com, which then redirects to the requested website. I imagine rewardfinds is some affiliate program. I thought perhaps some malware, but after trying it on both a Windows and Ubuntu box, I suspected DNS. Flushed my DNS cache, switched over to 8.8.8.8 &#38; 8.8.4.4 (Google's DNS) and that solved the problem.<p>Didn't think much of it, but a friend pinged me with the same problem. Did a search and it appears others are having the same problem (http://support.mozilla.com/mr/questions/766714).<p>At first I thought it was some nefarious tech at my ISP who figured s/he'd earn some extra bucks redirecting everyone's requests, but it appears more widespread.<p>Has DNS been hacked?
======
cypherpunks01
Who is your ISP?

<http://en.wikipedia.org/wiki/DNS_cache_poisoning> has definitely been
exploited in the wild. A friend of mine in AWS had to investigate cache
poisoning attacks happening on certain ISPs a few years back that were
hijacking images.

Edit: Are any affiliate params or headers being passed to the forward page?

~~~
anonymouslambda
I live in a high-rise in downtown Chicago, so my ISP is some local company
that services multi-tenant buildings: <https://www.am3inc.com/default.cfm>

Yes, affiliate params were being passed in the URL to the forward page.

~~~
cypherpunks01
You probably know, but the people to contact are your ISP to tell them of
their DNS poisoning, and also the "rewards" company to complain about their
sneaky affiliate.

You mentioned that it's not confined to just your ISP - It's possible for
these DNS attacks to cascade due to the nature of DNS, so the attack may have
originated higher up than just your ISP's DNS servers. But they should be able
to have a better idea of what's happening.

