Something looked broken with Web search on my computer yesterday, and it took me only about 18 hours of detours to figure out the problem. To spare you all the trouble of repeating my troubleshooting, here’s how things worked out.
Everything started when I was doing a routine search for a post I’d written last winter on CEA’s blog. I clicked on Google’s link, saw a random address appear and then another, and found myself looking at a sketchy page with ads for some casino instead of my analysis of exemptions to the Digital Millennium Copyright Act’s anti-circumvention provisions.
My first thought–both frightened and angry–was that I’d finally gotten hit with a virus like DNSChanger on my own computer. But the same hijacked search happened in another Mac and on the Chromebook I’d just reviewed.
Maybe my wireless router had gotten compromised somehow? I had covered one reader’s experience with that two years ago, and my fellow tech journalist Glenn Fleishman (I’d say he’s forgotten more about WiFi than I’ll ever know, but he forgets nothing) thought that was likely too.
But the router had nothing amiss with its domain-name-server settings. Meanwhile, doing the same search in the browser on an AT&T Android phone (another recent review) didn’t yield any spurious results. Two replies on Twitter also suggested this issue might be specific to Internet providers.
My last move before getting distracted by our daughter was to try the same search on other sites. At Bing, the result also got hijacked; at DuckDuckGo, it did not.
This morning, as I was using Safari’s Web Inspector to see if I could get any more insight on the mechanics of the hijack (and take the screengrab you see above), another Twitter reply suggested that it could be an issue with CEA’s installation of WordPress. There is a history of exploits for that popular blogging platform that target incoming referrers from popular sites to send those clicks elsewhere; see, for instance, this Q&A thread.
(WordPress.com, this blog’s host, is a commercial service that runs WordPress; one of its selling points is having professionals stay on top of patches and security so I don’t have to.)
Sucuri LLC’s malware-checking site didn’t find any malware at CEA’s blog. But when I e-mailed somebody at the Arlington, Va., trade association, they did find a malicious script on the site that’s since been removed. And now, my original search takes me to the right page.
So I guess reporting this counts as this week’s good deed for the Internet… and maybe a start on next weekend’s USA Today column. But before I do that: Have you run into anything like this? Were you able to get it resolved? What else would you like to know about search hijacking?
Rob Pegoraro 
Not the same thing exactly, but I think my machine’s been hit with a Google redirect virus. I get similar results to what you posted above when I use Google to perform searches in Firefox. Searches in IE and Chrome appear unaffected. My antivirus never caught it. Searches (not using Firefox!) for remedies turned up this step-by-step article: http://atechjourney.com/google-redirect-virus-remove-manually.html/ , but I’ve been afraid to actually take these measures. Any thoughts on whether this is a good plan of action?
I would download and run Malwarebytes free software first. Then, if that didn’t work, do what the site says and run it again. I had a DNSredirector on my computer about two years ago and it took a combo of Malwarebytes and following direction for disabling the redirector to fix it.
Good Luck,
Will
Pingback: Weekly output: ECPA, WCIT, The Daily, search hijacking, router firmware | Rob Pegoraro
Pingback: A look back at 2012′s blogging stats | Rob Pegoraro