EDIT: While I tried a new VPN and the issue went away, it’s still hard to say whether this had anything to do with the Mullhad VPN server (as someone points out, something like this shouldn’t really be possible over https, I don’t know if mixed content vulnerabilities are possible that could cause this)
I’ve noticed when browsing the forum https://aseannow.com/ (edit: on multiple Android mobile devices, chrome/firefox, doesn’t seem to affect laptop), when I connect specifically to the Mullvad Singapore server, it seems to intercept the ads and replace with spam ads (tested on mobile). If I disconnect from the server, it’s fine. If I connect to another location, it’s fine. Perhaps the website has some geographic specific thing going on (or I have some local malware that is geo-locked), but it seems more likely it’s the VPN server causing this… as it wouldn’t make a lot of sense for malware to only do its thing when it detects users located in Singapore.
Last month the banner ad would show as blank for 5 seconds, then display an obnoxious full screen redirect saying I had won a mobile phone. This month it has changed slightly (a bit more subtle), instead you get somewhat normal looking banner ads that have bad formatting (e.g. double the width of the web page), served from dicey adserve platforms like outbrain (when not connected to the VPN, it’s only google served ads).
Read your post and visited the site while connected to Mullvad’s sg5-wireguard (M247 owned) server via Safari on my iPad. Using Mullvad’s ad/tracker/malware blocking but I made sure to disable the AdGuard browser extension. Browsed about for a few minutes, visiting various subforums. Aside from yellow a pop-up asking if I wanted to subscribe to their newsletter when I first visited, I noticed nothing out of the ordinary.
Thanks for checking it out. I’ve been using Chrome on mobile, I just tested it on Firefox with the same result. I can’t repro on laptop as I don’t get served any banner ads at all. I’m going to try to dig into the page source.
[removed, typo in url]
Received an ad for sportsbet.io which seems to be a scam site, and I have doubts google would serve it.
There are also ads served by criteo.com, while the forum administrator said they only have it configured to have ads served by google. So you shouldn’t be able to see any non google ads, and indeed when I disconnect the VPN they’re all (legit) google ads.
EDIT: it looks like criteo.com is malware, usually on the device. I’m just not sure why it would only happen when using the Singapore VPN, as it seems to be device based malware. I’m unable to repro on laptop in a mobile-emulated web browser.
EDIT 2: I just tried this on a separate mobile device that is almost certainly clean as hardly anything installed from factory, same criteo ads.
EDIT 3: Well I’m at a loss, I’m not sure that gum.criteo.com is necessarily malware, but it’s somehow linked to the dodgy ads. I’m viewing the page source between the normal vs spam page, and you can see the content differences producing the ads, but not sure how it’s getting there. I can be quite sure the second device is clear of malware (unless it comes with factory settings).
So repro steps seem to be Singapore VPN (only Android, Chrome or Firefox), keep refreshing page until you get a non-google served ad on bottom banner, which may take 5-10 seconds to appear (if you tap and hold on banner ad, you should be able to more easily identify the rogue ones).
Yeah I guess not, I wasn’t sure if individual resources fetch over the page (like a .js script loaded from an ad server) could be intercepted, but probably not as seems like it would break the point of https.
I tried a new VPN service (connecting to Singapore) and I no longer get served dicey ads, which largely rules out local malware, so I don’t know what else could be going on.
However there is still some level of weirdness where the ads served do not behave quite the same. Like clicking the ‘i’ button on the ad, normally this displays an info message in the banner, when VPN is connected it another opens up a new tab entirely. Then if I connect the VPN to my local country, that difference in behavior goes away.
I’ll leave this post up in case someone else experiences bad ads and might make further progress, I’m at a loss as to what is going on. Best guess now is the adsense was compromised with bad ads, that were served in higher value locations (like Singapore), and that I probably would have seen had I been in Singapore without a VPN. Or there’s a mixed content vulnerability that can modify which ads are served on a https page (perhaps the website itself compromised).