The Mysterious Redirected Web Request

I was sitting at the kitchen table working on a project a while back when a commercial came on advertising “quick-cook weekday eggs“.

It’s an ad campaign from the egg farmers of Canada (this country uses supply management for the primary staple type items — cheese, chicken, dairy, etc — which means each has fairly robust advocacy groups and has a healthy state without enormous agricultural subsidies like you see in the US), presumably to remind people that eggs are a speedy cook even when time is limited.

I was curious if they really sold egg cartons with this weekday branding on it, so I pulled up Google and typed in “weekday eggs”. It suggested the autocomplete of “weekday eggs real” and to satisfy my curiosity if people really wondered, I chose that.

The top link was to “Introducing the new Weekday Eggs – Cossette“, a non-TLS http result on the responsible ad agency’s website. I clicked it.

I was greeted with a “YOUR FIREFOX BROWSER IS EXPLOITED” etc page. The classic scam page with blinking text, bold colours, and alerts on navigation exhorting you to pay for a solution.

Weird.

I kill the tab and go through the process again but this time I get the ad agency site. In many recreations of this process I’ve never gotten the scam page again.

Paranoia rises. What was the source of this misdirection? Was the call coming from inside the house?

I immediately began an audit every piece of software on the laptop (Firefox itself being the latest, with a very minimal set of add-ons including uBlock Origin), then evaluating anything that could possibly be intercepting HTTP traffic. I am very cautious with the software that comes into my life so it’s a fairly achievable audit.

The laptop is a Lenovo Yoga 720, from a company notorious for their Superfish debacle. Could some of the laptop software be responsible for periodically intercepting legitimate connections? A thorough analysis, including with targeted debug sessions to see the entire call stack from Firefox through the operating system, seemed to exclude this possibility.

Then I had to look at my Asus Router (VPNFilter is making the rounds and while my router is behind a router is behind a router, there is always a possibility), and then to the cable company provided router. Did either of those interfere with normal traffic? I set up web tests to load a variety of HTTP resources around the net, verifying it for adulteration, logging every redirection.

Nothing.

I have no answers. This mystery pervades.

And in the end it could be malicious software on the other side. The site seems to be hosted on a bank of IPs that feature a number of other basic static sites, and it could be a shady revenue scheme to redirect a low enough percentage of requests that it could always be attributed to other things and waved away. At this point that seems the most likely scenario. Either that or my internet provider, or someone in between, is interfering with traffic.

So this post has no payoff in the end. I just had to document a mystery that still bothers me, returning to my mind-space more often than it should. It reminds me why TLS everywhere is so critical.