Searchincognito.com

Forum Moderators: open

Message Too Old, No Replies

Searchincognito.com

aristotle

9:22 pm on Apr 28, 2016 (gmt 0)

I've seen this one several times lately.. Here is google's search results snippet about it:

Searchincognito.com virus is a browser hijacker that attacks Internet Explorer, Mozilla Firefox, Google Chrome and even Safari browsers. ... Once inside, the application replaces your homepage and default search provider with Searchincognito.com

Host: 73.250.98.*** 
 / 
 Http Code: 200 Date: Apr 28 16:54:31 Http Version: HTTP/1.1 Size in Bytes: 24210 
 Referer: http://r.searchincognito.com/ 
 Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36

[edited by: keyplyr at 12:45 am (utc) on Apr 29, 2016]
[edit reason] depersonalized IP address [/edit]

keyplyr

11:51 pm on Apr 28, 2016 (gmt 0)

73.250.98.*** is Comcast, so likely an infected browser of an ISP customer.

They host at: AWS
NetRange: 23.20.0.0 - 23.23.255.255
23.20.0.0/14

blend27

12:22 pm on Apr 29, 2016 (gmt 0)

I had a visitor with the https: //www.searchincognito.com/ referrer as well, from 75-137-4-**.dhcp.nwnn.ga.charter.com ----- Charter Communications -- ISP

UA was different: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36
Seems to be the same build of Chrome though.

Nothing special about the visitor, hit a home page and then browsed 7 other pages. Normal requests.

OT >>

As far as : aristotle, not particularly @ U.

Searchincognito.com virus is a browser hijacker that attacks Internet Explorer, Mozilla Firefox, Google Chrome and even Safari browsers. ... Once inside, the application replaces your homepage and default search provider with Searchincognito.com

That would be an incorrect statement. Searchincognito is an approved chrome extension:

 https://chrome.google.com/webstore/detail/search-incognito/fdobakplmmicnnhioedbifobmpoaglac

. If it was a virus it would not make it to chrome.google.com/webstore.....

What's virus is Goog providing links to 50,000 + WIKI-HOW types of sites/pages(I am assuming snipped belonged to 2-viruses.com) that go a full length in explaining how to remove a particular program along side with displaying Ads that make a user/visitor feel safer and misleading visitors at the same time with HUGE Green and Yellow Download Uninstaller buttons and Phone numbers to call. Oh and while you browse those sites, just know that DoubleClick, AddThis and such would be there as well.

If we follow the same logic/common sense, then Goog/Bing/Ask/Yahoo Toolbars are in the same exact category.

Try downloading Java, and clicking Next, Next Next... One will end up with some type of a browser toolbar. Try finding a driver for a slightly outdated HP printer... - end up with a Gig of junky software that does nothing but "Monitors Your system for the best performance".

<< OT

aristotle

2:02 pm on Apr 29, 2016 (gmt 0)

That would be an incorrect statement. Searchincognito is an approved chrome extension:

That might be a different search incognito utility. At any rate, I'm not going to take the risk of going to searchincognito.com to see if it has any official connection with google.

lucy24

8:40 pm on Apr 29, 2016 (gmt 0)

I'm not going to take the risk of going to searchincognito.com to see if it has any official connection with google.

If it were google-connected, wouldn't it live on a Google server instead of AWS?

aristotle

9:17 pm on Apr 29, 2016 (gmt 0)

If it were google-connected, wouldn't it live on a Google server instead of AWS?

That's just another reason not to take the risk.

keyplyr

9:27 pm on Apr 29, 2016 (gmt 0)

I agree with blend27. There may or may not be a virus circulating at one time or presently that injects code to switch browser preferences, but setting up Warning sites to get add clicks is a well know black hat tactic. Also, competitors may start these net rumors to discredit another company.

Searchincognito is indeed a valid search resource and browser extension (although I block it because of the "incognito" attribute.) Just because a visitor has a referrer from any remote web site does not in itself construct a threat to your web site. There would need to be some sort of script injection.

aristotle

1:59 pm on Apr 30, 2016 (gmt 0)

Well if you do a google search for "searchincognito.com" (without quotes), and look at the results, there are literally dozens of entries about how to remove it from your browser.

So you certainly get the impression that a lot of people must want to get rid of it.

Since otherwise there wouldn't be so many sites with removal instructions.

So for whatever reason, a lot of people evidently want to get rid of it.

wilderness

4:59 pm on May 2, 2016 (gmt 0)

FWIW, this morning had a valid visitor (all supporting files and images) with the com as the refer.

50.45.44.zzz - - [02/May/2016:09:31:07 -0600] "GET /MySub/MyPage.html HTTP/1.1" 200 5967 "https:// www.searchincognito.com" "Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0"

aristotle

6:19 pm on May 2, 2016 (gmt 0)

Yes, I'm pretty sure that these are real human visitors. But I still think they may be using infected browsers.

wilderness

6:40 pm on May 2, 2016 (gmt 0)

I had UA's with FunWebProducts denied (may still) for longest while because that product was a URL hi-hacker (replaced links of web pages with their spam links), however many folks disagreed with that analysis of FunWebProducts.

blend27

9:24 am on May 3, 2016 (gmt 0)

"FunWebProducts - Get thousands of smileys, screensavers, cursors and more cool stuff - all 100% free!"

I literally have that HARD-CODDED within the first 15 lines of the site-access module, with the abort following it. I remember that at some point almost a half of my beloved AOL visitors were having Fun with their products, on the Web.