Chinese networks redirecting to wpkg.org
Published April 28th, 2015 at 1:18 PM EDT , modified April 28th, 2015 at 2:15 PM EDT
A couple days ago, I got an e-mail message from someone who was having trouble with being redirected to wpkg.org frequently. We fruitlessly explored a number of possibilities, including adware, hacked sites and hacked wireless routers. As more reports have surfaced over the intervening period, though, it looks like this is a problem that only people connected to networks in China are experiencing.
It turns out that this problem is not related to adware or malware. It appears to be related to the presence of a Facebook Connect button on a website. For people in China, any website with such a button will be redirected to wpkg.org, or in some cases, ptraveler.com. Some people have reported that this redirect doesn’t happen all the time, but I’m unclear on whether this is simply because it’s not happening on sites without such a button, or whether it truly only happens sometimes on sites with a Facebook Connect button.
It’s unclear at this point whether this is a state-sponsored hack (or perhaps a bug in a state-sponsored attempt to block Facebook Connect buttons), or whether it is the work of third-party hackers who may or may not even be in China. Honestly, we may never know which is the case.
I would suggest that people in affected regions use a VPN (virtual private network) to “tunnel” out to another network that doesn’t have this problem. Many people in China are doing this already, as a means of bypassing the “Great Firewall of China.” I’m not aware of which VPNs are currently blocked by that firewall and which will go through, so I can’t advise which specific VPNs to use.
If you are unable to find a workable VPN that solves the problem, another possible solution would be to use an ad blocker, and set it to block the following URLs:
I don’t have any first-hand experience with how well this works, but have seen reports that it does.
Tuesday, April 28, 2015 @ 1:52 PM EST: Checking the two URLs mentioned above, it looks like the script on wpkg.org is still present at this time, but the one on ptraveler.com has been removed.
…later, @ 2:12 PM EST: Brian Krebs has now posted a good article on this matter, which says that the problem has already been fixed. Those still being affected are probably using cached DNS data. Depending on whether the cached data is on the affected person’s computer or at their internet service provider’s DNS, it may (or may not) be helpful to flush the DNS cache.