OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Chinese networks redirecting to wpkg.org

Published April 28th, 2015 at 1:18 PM EDT , modified April 28th, 2015 at 2:15 PM EDT

A couple days ago, I got an e-mail message from someone who was having trouble with being redirected to wpkg.org frequently. We fruitlessly explored a number of possibilities, including adware, hacked sites and hacked wireless routers. As more reports have surfaced over the intervening period, though, it looks like this is a problem that only people connected to networks in China are experiencing.

It turns out that this problem is not related to adware or malware. It appears to be related to the presence of a Facebook Connect button on a website. For people in China, any website with such a button will be redirected to wpkg.org, or in some cases, ptraveler.com. Some people have reported that this redirect doesn’t happen all the time, but I’m unclear on whether this is simply because it’s not happening on sites without such a button, or whether it truly only happens sometimes on sites with a Facebook Connect button.

It’s unclear at this point whether this is a state-sponsored hack (or perhaps a bug in a state-sponsored attempt to block Facebook Connect buttons), or whether it is the work of third-party hackers who may or may not even be in China. Honestly, we may never know which is the case.

I would suggest that people in affected regions use a VPN (virtual private network) to “tunnel” out to another network that doesn’t have this problem. Many people in China are doing this already, as a means of bypassing the “Great Firewall of China.” I’m not aware of which VPNs are currently blocked by that firewall and which will go through, so I can’t advise which specific VPNs to use.

If you are unable to find a workable VPN that solves the problem, another possible solution would be to use an ad blocker, and set it to block the following URLs:

http://wpkg.org/my.js
http://www.ptraveler.com/pt.js

I don’t have any first-hand experience with how well this works, but have seen reports that it does.

Updates

Tuesday, April 28, 2015 @ 1:52 PM EST: Checking the two URLs mentioned above, it looks like the script on wpkg.org is still present at this time, but the one on ptraveler.com has been removed.

…later, @ 2:12 PM EST: Brian Krebs has now posted a good article on this matter, which says that the problem has already been fixed. Those still being affected are probably using cached DNS data. Depending on whether the cached data is on the affected person’s computer or at their internet service provider’s DNS, it may (or may not) be helpful to flush the DNS cache.

Tags: , ,

14 Comments

  • Ofelia says:

    What exactly is wpkg dot org? (not posting it in link form if it’s a bad thing.)

    • Thomas says:

      As far as I’m aware, it seems to be a legit open-source software deployment tool for Windows. Their site may have been hacked, or they may be something more than they appear to be.

  • Emma says:

    Hi Community

    This is my bad experience. I have also followed the instructions as Thomas said and initially it worked well… yesterday. Today I have the problem again and I have been using a VPN for long before. This happens with Firefox. If I use for example Opera, I have no problem.

    Besides, and maybe it is not related, my Mail stopped working and now I cannot see my mails by this means. Has anybody some other solution?

  • Gill says:

    I am using a vpn and still have the problem. It is happening with Firefox and Chrome. I will try Safari and Opera but it is only a matter of time before they figure that out too.

  • Marcel says:

    I had the problem and solved it by using AdBlock. Make sure to clear your cache once you blocked the wpkg website.

  • KWitberg says:

    This is clearly wrong. I returnd from China 2 days ago and I have still big problems with WPKG.ORG redirection. In fact, the problems are getting worse. The hotel I stayed in had also problems with this.
    I have installed Adblock Plus with the recommended filters, I have ran Spyhunter but to no avail.

  • TF1973 says:

    I’m working in China and face the problem since this week.

  • Eric says:

    Hi guys,
    Recently i was experiencing the same problem and i fixed it by binding these two URLs in my host list.
    You might try it out to see if it works for you.

    PS : Please remember to clear cache and cookies after binding the two URLs

  • Sergio says:

    Hi there,

    I came back home from China after Beijing and Shanghai trip on May 4th.

    I was experiencing the same problems on Google Chrome and Safari browsers, that started by the end of April, 2015.

    Today I was using my MacBook and the websites were still being auto-forwarded to wpkg.org.

    I followed the instructions and they solved the issue:

    1.) Flush DNS
    2.) Clear the browser cache

    I had to follow the 2 (two) steps above for 2 (two) times before finally solving the problem.

    Thank you for your help! Bye bye!

  • PhilCQ says:

    It is not solved by using a VPN, as I have one that is functional and still usable here in China. It also seems to be browser-specific: in my case, Chrome will redirect to the wpkg site, but firefox and safari still do not.

    In addition to the annoyance, I am concerned that this bug is also allowing the possibility of collecting data from my computer via the affected browser. Is this a valid concern?

    All best

    • Thomas says:

      Chrome includes its own DNS cache. If it’s the only browser exhibiting the problem, you’ll probably need to clear that. In Chrome, go to:

      chrome://net-internals/#dns

      Then click the Clear Host Cache button.

      It would certainly be possible for a government intent on filtering the internet for all its citizens to be collecting that data. Using a VPN that bypasses China’s filtering will solve that problem.

  • Mahesh says:

    I am facing problem of ad.adsmatt every time I open any bowser . I have cleared all cookies and still of no use
    .kindly guide.

This post is more than 90 days old and has been locked. No further comments are allowed.