I started looking for signs of malware on my machine - suspicious running processes or network activity, past logins, modified system files, and I even ran an antivirus scan. Then at some point Firefox connected to news.ycombinator.com without the website being open. I saw the connection appear in `about:networking`, but I didn't know what made it (and didn't have time to learn how to find out). The HackerNews moderator I talked to earlier told me that there was another attempt to submit an article around that time and gave me its address.
My first thought was that it must be a compromised extension. I found the domain name and a significant portion of the URL of the article in a file belonging to AdNauseam (https://adnauseam.io/), an ad blocker based on uBlock Origin that also clicks on ads. There was no mention of it being compromised on the Internet.
The article was one I had read at some point, and had a "Share this on Hacker News" link pointing to the address generated by the bookmarklet (https://news.ycombinator.com/bookmarklet.html). One of the filter lists I had enabled tries to detect "Share this" links, so AdNauseam hid the link and clicked on it quite a few times. I still have to figure out why there were so many requests because I think I only visited that website once.
Luckily no submission was actually made because AdNauseam didn't click on the button on the submission page itself.
1 comments