As of a few weeks ago, I started noticing a strange issue when I went to search for something on eBay Ireland (ebay.ie). As I started reading through the product listings in the search results, eBay intermittently redirected me to a product listing which generally had nothing to do with what I searched for. Once I clicked back to return to the previous page, eBay would work fine until I returned to the site some time later, such as the following day.
To rule out a potential problem with my browser, I cleared my cache and cookies, but got the unexpected redirection when I used eBay the next day. So to rule out my PC, I then tried a quick eBay search when I was at my workplace and also got unexpectedly redirected. Like my home PC, the redirection would take me to what appears like a random eBay product listing, which also was completely irrelevant to what I searched for.
After some further experiments over the following days, I found a few tell-tale signs that this was a dodgy ad-banner being loaded. Once I got redirected, I could not repeat this incident even when trying eBay in another browser or even another PC on the same network. This meant that whatever was redirecting me must have logged my IP address or some other detail about my Internet connection to prevent a second redirection for a certain period of time. Each time I was redirected, the URL shown did not have keywords like the URL that would be shown had I clicked a product listing.
I then tried reporting the issue to eBay, but got practically nowhere. They kept insisting it was a problem with my browser or that I needed a tutorial on how to use eBay, pointing me to various guides on how to clear my cache & cookies and even how to use eBay!
So I waited another day for the culprit to present itself again and ran the Fiddler web debugger before launching Firefox. I then went to ebay.ie and searched for whatever came to mind, in this case “oneplus one”. I left the browser sitting on the search results page. About 5 seconds later, it redirected me to the following page, which has nothing to do with the OnePlus phone:
With a trace recorded in Fiddler, I looked at that above URL to see what took me to that page and interestingly, the referrer URL domain is not eBay related:
The above URL appears to be some sort of price comparison tool where some script probably simulated clicking a result that lead to that above page. So let’s continue the trace to see how my browser ended up at that bargain-market URL:
This time it’s a POST, which meant something had submitted a form at the bargain-market website. Let’s continue the trace to see what made this POST request:
It looks like either the site or something else had performed a second POST request, so on with the trace…
The culprit appears to be something running on the runcdns.com domain, which also appears to have made a GET request for the same above URL. So what made this request? Let’s continue the trace…
It appears to be a redirection from another page on runcdns.com. Notice the mention of ‘doubleclick.net’ and what appears to be the eBay search results URL. So the suspect culprit that fetched this URL is of no surprise:
To complete the trace, we can double check what fetched the doubleclick ad and sure enough it’s the URL of the eBay search results:
So what was going on? From a quick look at other items that were fetched on that page, that runcdns.com had also loaded the following content inside the ad banner in addition to the ad banner image:
Notice the code highlighted in red above. That is a piece of JavaScript that inserts an iframe, which in turn loads the specified URL highlighted in green, i.e. the runcdns.com domain with its JavaScript. It’s pretty clear from the ‘1’ width and height that whatever is being loaded in that iframe is not going to be visible. The referrer highlighted in blue above points the source of what fetched this content at one of the Doubleclick ads.
So what I suspect is happening is that the series of redirects takes place in that obscured iframe, probably to simulate clicking an affiliate link when it redirects the main browser URL to the unexpected eBay product listing. As the eBay product has been irreverent to what I searched for and never the same product twice each time I got redirected, this in turn probably avoids flagging something suspicious is going on to either ebay or any affiliate system involved.
After capturing a number of these traces, the series of redirects are very similar, but across different domains. For example, with a previous trace, the redirections used a different domain to runcdns.com, although all of the traces involved the bargain-market domain.
From further testing, this issue does not occur when Doubleclick ad banners are blocked and so far I’ve only experienced it while using the Firefox browser with eBay.ie (ebay Ireland). I am also not aware of any other websites where a similar issue occurs.
As it appears that Doubleclick is being tricked into loading third party content into an iframe, this trick could potentially be used by rogue advertisers to load malware-infected webpages in the iframe.
Update: I got redirected while searching on ebay.ie in Internet Explorer 11, so it's not just Firefox it targets as I initially thought.
Update 2: Rubicon Project contacted me for a Fiddler trace to investigate and it appears that the culprit has now been dealt with.
