Website is resolving to strange websites and links

  • Our website is intermittently resolving to strange websites and links, this started happening maybe a week or so ago. I’ve seen it happen on mobile and desktop devices.
  • this is an example of a URL it resolved to:
  • netlify instance is empower-netlify-8989

Hmm, empower-netlify-8989.netlify.com resolves for me:

That’s really odd. I know you are saying it seems to be happening on multiple devices, but my first thought was a browser extension issue or maybe a virus that is hijacking you somehow.
When was the last time you ran a virus scan?

What have you tried? Does this happen on all browsers? When was your last successful deploy?

Thanks for your answer. It resolves 99% of the time to the correct page. I have seen it perhaps 3-4 times. I also thought that too, but another employee say it before on iOS mobile, safari. I have also seen it on desktop too. Chrome. I just don’t know how someone would hijacking in. We deploy the site multiple times a day.

The only thing I can think of is that one our header script tags has been infected, it’s the only external JS we use when the page renderes or an npm package has been compromised.

I would definitely rule out that external JS! I haven’t heard of this behaviour before, and something about it pointing to a free trial and a VPN just smells (I know, not very technical, BUT) like a hijack or virus to me.

If you can find a way to reproduce this or similar, or you can rule out anything external, we will absolutely try and find out what is going on, but otherwise, we can’t do much at this time, i’m afraid.

So I think I found the culprit. I have sentry set up so was looking through the logs and came across this error.

Failed to set the 'href' property on 'Location': The current window does not have permission to navigate the target frame to 'https://cdngateway.net/?s=G5dOj6qMTaRTrLraxX9jWVOuDFaXvC6NFx2LXfqz4yAtQK753nzVnyEE7yu%2Fwi3JLrxWYRqMuzvALbY%2F7eMORE1HgkkBymhD&src=ZW1wb3dlci5tZQ%3D%3D'.

This URL is familiar, I always see it before the redirect to some VPN site.

It was coming from https://sc-assets.net/scevent.min.js which is the snapchat pixel, surprisingly. I have removed this header tag and will monitor going forward.

Some more details from the sentry log.

I knew it! this is super interesting - and weird. Keep us posted if you find out anything else.