Tell HN: DNS hacked? Redirected to forward.rewardfinds.com?

[anonymouslambda]

This problem popped up for me about a week ago. Requests to retail websites would be redirected to forward.rewardfinds.com, which then redirects to the requested website. I imagine rewardfinds is some affiliate program. I thought perhaps some malware, but after trying it on both a Windows and Ubuntu box, I suspected DNS. Flushed my DNS cache, switched over to 8.8.8.8 & 8.8.4.4 (Google's DNS) and that solved the problem.

Didn't think much of it, but a friend pinged me with the same problem. Did a search and it appears others are having the same problem (http://support.mozilla.com/mr/questions/766714).

At first I thought it was some nefarious tech at my ISP who figured s/he'd earn some extra bucks redirecting everyone's requests, but it appears more widespread.

Has DNS been hacked?

[cypherpunks01]

Who is your ISP?

http://en.wikipedia.org/wiki/DNS_cache_poisoning has definitely been exploited in the wild. A friend of mine in AWS had to investigate cache poisoning attacks happening on certain ISPs a few years back that were hijacking images.

Edit: Are any affiliate params or headers being passed to the forward page?

[anonymouslambda]

I live in a high-rise in downtown Chicago, so my ISP is some local company that services multi-tenant buildings: https://www.am3inc.com/default.cfm

Yes, affiliate params were being passed in the URL to the forward page.

[cypherpunks01]

You probably know, but the people to contact are your ISP to tell them of their DNS poisoning, and also the "rewards" company to complain about their sneaky affiliate.

You mentioned that it's not confined to just your ISP - It's possible for these DNS attacks to cascade due to the nature of DNS, so the attack may have originated higher up than just your ISP's DNS servers. But they should be able to have a better idea of what's happening.