Phishy-Looking Donation Request from Adblock Plus?

Discussion on adblockplus.org website and translations
Post Reply
EdPenguin
Posts: 2
Joined: Sat Apr 25, 2020 5:33 am

Phishy-Looking Donation Request from Adblock Plus?

Post by EdPenguin »

Not sure where to post this, but figured it was worth getting somebody's eyes on this.

I was browsing when one of my new tabs was redirected to a page requesting donations for Adblock Plus with the URL h_t_t_p_s_:_/_/_n_e_w_._a_d_b_l_o_c_k_p_l_u_s_._o_r_g_/_u_p_d_a_t_e (minus the underscores)

If it's a legitimate fundraiser, then I apologize for the false alarm, but I was under the impression Adblock Plus was primarily funded through means other than donations, and also was not yet set up to accept donations via credit card.
User avatar
greiner
ABP Developer
Posts: 899
Joined: Mon Sep 03, 2012 5:29 pm
Location: Cologne, Germany

Re: Phishy-Looking Donation Request from Adblock Plus?

Post by greiner »

Thanks for reporting it and I can confirm that this page is indeed coming from us (see ui#730).

This particular experiment is based on how other adblockers are asking their users for donations but we're trying to avoid interrupting anything users are doing (see release notes which includes links to the various development issues with further details). On top of that, we're rolling it out very carefully and are closely listening to user feedback on that. So if there's something you like or dislike about it, please share it with us because it's going to be helpful for us with this and any other future experiments. For example, we want to make it absolutely clear to users whenever we're opening a page that it's coming from us. So any further information on why you think it looks phishy and/or suggestions on what we should change, in your opinion, would be quite interesting for us to look into.

Generally, we are currently trying out different ways to get people engaged with Adblock Plus which includes donations, ratings but also other kinds of contributions. All of those are a tremendous help for us for keeping Adblock Plus open and free and for users to have control over the Adblock Plus project.
EdPenguin wrote:but I was under the impression Adblock Plus was primarily funded through means other than donations
That's correct (see How is Adblock Plus financed). Those funds not only help us with Adblock Plus but also with other projects that we're working on such as Flattr, Sentinel, Trusted News as well as other projects that we think can help content creators and users alike. They also help us fund our efforts to keep ad blocking legal across the globe. Donations, on the other hand, are a more direct way to support our work on Adblock Plus itself.
EdPenguin wrote:and also was not yet set up to accept donations via credit card.
I remember that we used to support credit card payments in the past (see trac#157) but we had to drop support for it (see web.adblockplus.org#222). We also used to support Bitcoin donations but had to remove them due to accounting problems with microtransactions (see trac#1758). So depending on the results of this experiment, credit cards may or may not be supported again.
EdPenguin
Posts: 2
Joined: Sat Apr 25, 2020 5:33 am

Re: Phishy-Looking Donation Request from Adblock Plus?

Post by EdPenguin »

Thank you for your very detailed reply and thank you for the work you do to maintain Adblock Plus. I'm glad to know that this solicitation was legitimate.

As for why I suspected foul play, I think it was a combination of factors. I'll try to walk through my thought process as I considered the page.

For starters, this request appeared very unexpectedly. I had never received this sort of solicitation from Adblock Plus in any media, yet this one appeared as an automatic redirect from a game wiki that I was browsing. I am aware that some phishing attempts will use scripts hidden either in a poorly-screened ad, or in the code of an attacked page to redirect a browser from the original site to their own page, and I am aware that because wiki pages are modifiable by third parties as part of their function, they can be especially vulnerable, so this already raised my hackles.

The content of the page itself looked legitimate, but looking at the web address I'd been directed to, I noticed that the domain was "new.adblockplus.org" rather than simply "adblockplus.org" as this forum and the main page of Adblock Plus have. The digital certificate read as valid in my browser, but I couldn't find any reference to what entity this certificate was licensed to through that avenue, and I am unsure of the rules regarding obtaining a .org domain, so I couldn't be sure if this was simply the attempt of a very well-invested scam.

As I couldn't determine to my satisfaction whether the request was legitimate or not, I decided that rather than risk being fooled by a page I thought was suspicious, I should instead go directly to your main website and make my donation there. It was then that I discovered that you did not have the option to donate via credit card on your website and, in general, do not seek donations on the whole. That was the final piece of information that prompted me to seek your attention.

Again, I am glad to know that this was simply a false alarm. Thank you again for your reply, and I hope my thoughts provide you with helpful insight.

P.S. A suggestion I just recalled that I would make: if the solicitation appeared in a way that directly connected to or appeared from the browser widget that appears next to the address bar, an element which I am familiar with and already associate with Adblock Plus, I would likely have been less suspicious. I am unsure if there is a method you could use that avenue with that would appear non-intrusive enough while also being compelling enough to yield results, but those are my thoughts.
User avatar
greiner
ABP Developer
Posts: 899
Joined: Mon Sep 03, 2012 5:29 pm
Location: Cologne, Germany

Re: Phishy-Looking Donation Request from Adblock Plus?

Post by greiner »

Those are all excellent points so thank you for taking the time to elaborate on it to help us with understanding your line of thought.

The reason why we used new.adblockplus.org instead of adblockplus.org was it made it easier and safer for us to scale up our infrastructure without interfering with anything else that's running on adblockplus.org. Therefore any potential problems that could have arisen would have been limited to new.adblockplus.org. Regarding the missing entity in the certificate, I'll let Ops know about it because I don't know whether or not this was done intentionally.
EdPenguin wrote:P.S. A suggestion I just recalled that I would make: if the solicitation appeared in a way that directly connected to or appeared from the browser widget that appears next to the address bar, an element which I am familiar with and already associate with Adblock Plus, I would likely have been less suspicious. I am unsure if there is a method you could use that avenue with that would appear non-intrusive enough while also being compelling enough to yield results, but those are my thoughts.
This is how we most commonly communicate with users. The main problem with it is, however, that browsers nowadays don't allow extensions to open this widget by themselves. Therefore messages like these tend to go unnoticed for many users unless they click on the icon to interact with the extension. That's why we're always trying to experiment with different approaches to work around those limitations.

If you're curious, we are trying to make some improvements to draw more attention to those messages though, such as by animating the toolbar icon to show there's a new message in the widget (see ui#162 and ui#594).

Another approach we can look into is opening a page that is contained within the extension, similar to the page that opens when you install Adblock Plus. We can also investigate what the best time is to open such a tab, in order to avoid situations where it may look like it was opened by an open webpage.
Post Reply