46

I'm seeing this ad when logged in as myself.

Enter image description here

I'm not sure what it is, but it sure /looks/ like a "buy-your dissertation/review"-type of scam.

Can we get rid of the spammy ad or urge the advertiser to get more relevant and clear about their services?

It looks like there is this malicious Stack Overflow clone serving unsecure content:

This is not a question about how to deal with clone sites. It's a discussion about the perils of possible phishing/scam sites that look exactly like Stack Overflow. I've reported the site with google.

13
  • 16
    That doesn't look like something we would serve. Could it be your ISP injecting it in?
    – Oded
    Commented Mar 11, 2016 at 10:30
  • I highly doubt it, I'm on a corporate network here.
    – sehe
    Commented Mar 11, 2016 at 10:31
  • Do you see it over https?
    – Oded
    Commented Mar 11, 2016 at 10:31
  • 5
    I've never seen anything remotely like that on any SE site. Perhaps you've installed a browser plugin or other adware-driven package recently? Perhaps inspecting the underlying source code gives some more pointers to the origin of this ad.
    – Oldskool
    Commented Mar 11, 2016 at 10:32
  • Oded: Dunno. Will check. Meanwhile: @Oldskool added DOM inspection and cookies served
    – sehe
    Commented Mar 11, 2016 at 10:33
  • Possible duplicate of What to do about a clone service scraping SO sites for content?
    – nobody
    Commented Mar 11, 2016 at 14:11
  • @AndrewMedico Not sure this is strictly a duplicate since the OP didn't realise what the site was when posting the question.
    – SuperBiasedMan
    Commented Mar 11, 2016 at 14:35
  • Yup. I think it's more about potential phishing/scams
    – sehe
    Commented Mar 11, 2016 at 14:36
  • 3
    You must have been really tired to navigate to the wrong site ;) Hopefully you didn't also log into yourbank.phish.ru also.
    – Travis J
    Commented Mar 11, 2016 at 19:36
  • 8
    @TravisJ Not at all. I just didn't notice the full domain name. I will not let myself be guilted or shamed here. In fact, I'm going to be proud for noticing right away AND acting upon it. That latter part means the problem is now fixed (for the moment) even though the site has provably been causing problems for a while. No need to thank me.
    – sehe
    Commented Mar 11, 2016 at 19:43
  • 4
    @sehe - Not really guilting you here, but you do kind of blame Stack Overflow for this ad at first. Further, you note that this scam is on an SO clone which really is the heart of the issue. If you had initially noticed the clone url, it would have been prudent to follow the instructions immaculately detailed out in A site (or scraper) is copying content from Stack Exchange. What do I do?
    – Travis J
    Commented Mar 11, 2016 at 19:57
  • 1
    @TravisJ I admit I missed the url initially. I have seen at least 5 different posts that linked to dupes about scraper sites today. None of them seemed to include urgent steps. So, I didn't do them. Regardless, I did report at SO and Google and hopefully it will still have an impact. Cheers. (I don't think this is a scraper site. It does look more like a phishing facade/proxy)
    – sehe
    Commented Mar 11, 2016 at 20:00
  • 1
    @sehe - Proxy is mentioned there, but regardless the point wasn't to chide. It definitely helps to eliminate these harmful sites. :)
    – Travis J
    Commented Mar 11, 2016 at 20:11

3 Answers 3

Reset to default
89

According to the source code in the screenshot of your comment, you are using http://stackoverflow.hex1.ru/, but that is not the official Russian site. That would be https://ru.stackoverflow.com/.

I do see the ad on stackoverflow.hex1.ru, which seems to be a clone site. Please use the original one. Also, you say you see this ad when logged in. If you logged in on that hex1.ru site, consider your login compromised and change your password immediately.

8
  • 4
    Wow. I wonder whether some ad/plugin maliciously redirected me. I use stackoverflow.com exclusively. Good spot, I didn't see it. Quick history check showed nothing from that domain before today. I certainly didn't type it :)
    – sehe
    Commented Mar 11, 2016 at 10:37
  • @sehe: You probably want to block it then, either via plugin/addon or hosts file.
    – Zeta
    Commented Mar 11, 2016 at 10:40
  • @Zeta It's already added to my hosts file now :) I use pgl.yoyo.org/adservers anyways
    – sehe
    Commented Mar 11, 2016 at 10:41
  • 3
    Also noteworthy: List of SO clone sites to exclude /cc @Zeta
    – sehe
    Commented Mar 11, 2016 at 10:43
  • @Oldskool thanks! I figured out how I got the clone site (see my pro forma answer). Thanks for spotting the issue.
    – sehe
    Commented Mar 11, 2016 at 10:51
  • How is the @sehe 's "login compromised" with that? If he logins through Google, for instance, all they got is some mildly sensitive account details (like e-mail) and possibly the ability to do some nondestructive actions (like post messages at Google+). To stop that, he can revoke the permission at the provider's site. Conversely, changing the password won't affect this in any manner.
    – ivan_pozdeev
    Commented Mar 11, 2016 at 11:07
  • 4
    It might be compromised if i had supplied any credentials on that site. Which i didn't.
    – sehe
    Commented Mar 11, 2016 at 11:23
  • 4
    @ivan_pozdeev If it is a phishing site (not sure if it is), of course they would also fake the Google login screen with their own version, capturing email address/password, giving them access to your entire Google account! But good thing OP didn't login on this site :-)
    – Oldskool
    Commented Mar 11, 2016 at 12:44
49

OK, I found how I reached this malicious Stack Overflow clone. It was in my Google results:

Enter image description here

Good thing I noticed something wrong immediately (even if not actually the questionable domain name...)

I advise people to block the domain. And:

Be careful out there.

6
  • 46
    A lesson for us all: We may be smart. We may know a lot about computers. And we may still be fooled.
    – Martin Tournoij
    Commented Mar 11, 2016 at 11:05
  • 21
    If it is in Google results, you should report it to Google so they ban the site for violation of their inclusion policy.
    – ivan_pozdeev
    Commented Mar 11, 2016 at 11:08
  • 9
    @ivan_pozdeev done: i.imgur.com/lFhzCzl.png
    – sehe
    Commented Mar 11, 2016 at 12:17
  • 1
    Good thing I have an AdBlocker ;-)
    – John Dvorak
    Commented Mar 11, 2016 at 15:12
  • 12
    I see your avatar is emBEARrrassed by your mistake.
    – user1228
    Commented Mar 11, 2016 at 15:18
  • 2
    @JanDvorak ad blockers don't usually help against phising/scam sites. (By the way, blocking advertising domains entirely is usually stronger)
    – sehe
    Commented Mar 11, 2016 at 15:22
20

The IP address the site is using is now banned, so when visiting you should get the following error:

SO PROXY BANNED

7
  • 1
    Cool. Good to see things working. It might not keep them out for always, but at least it will send a signal that they will have to put in some effort to keep profiting off of other site's popularity.
    – sehe
    Commented Mar 11, 2016 at 19:46
  • 17
    This is a very confusing explanation of the error.
    – Xan
    Commented Mar 11, 2016 at 20:31
  • 2
    @Xan you are quite welcome to file a report with hex1.ru to make the error message more friendly (hint, don't bother; the longer they don't notice, the better)
    – sehe
    Commented Mar 12, 2016 at 20:53
  • 1
    @sehe It's clearly a Cloudflare error
    – Xan
    Commented Mar 12, 2016 at 21:17
  • 1
    @Xan Yes? And it it clearly indicates a connection is refused. It's the proxying site that fails to handle this and display a more appropriate message. Turns out the exploiters of that clone aren't very professional about it. Who'd have thought...
    – sehe
    Commented Mar 12, 2016 at 21:18
  • 1
    This site has returned: stackoverflow.hex1.ru
    – Der Kommissar
    Commented Apr 25, 2016 at 11:35
  • 3
    @EBrown thanks for reporting this. They are blocked again now.
    – Greg Bray
    Commented Apr 25, 2016 at 16:13

Not the answer you're looking for? Browse other questions tagged .