How to remove ad script malware injection on Firefox

Question

I'm using linux mint tara. When I browse through firefox, occasionally an encrypted script is getting injected into the page that I'm browsing. When clicked anywhere on the page opens a popup ad. How do I detect, debug or get rid of this?

It uses several domains to inject encrypted scripts, following are few captured on metalstorm.net.

producebreed.com/rhZuYJzPiF4A/7259?ndn=ch1
allashail.club/rOE2tc1PoS95dtt/6921?ndn=ch1

There are others in other sites which take to same kind of popup, all of which finally leads to this same ad.

www.flipkart.com/?affid=galaksion&affExtParam1=675DF0D0-F015-11E9-AD30-A5250CAA7799&affExtParam2=23011

I'm stunned. I have replaced default firefox with tarball but this malware activity still persists. I use two addons on firefox (Dark Reader by Alexander Shutau and Little Proxy by addONDeveloper).

Is it sites' fault or is it injecting from my system? How can I debug my system if it some malware on my system?

Update:- (1)

After being paranoid of my first linux setup, attempted the same on Windows 10 and was able to reproduce the ad popups. Now I have arrived at an assumption that it was either injected by wireless router (using TP LINK) or by ISP.

Observations:-

1. Could reproduce on http sites but not on https sites of same domain.

2. Adblock plus was not able to block some of its domains.

3. On linux it shows a redirect to affiliate link (posted above), but on windows it shows a popup to install firefox update by clicking a flashy link (lol), must be an adware/malware. The adscript redirect flow was

   1. beebuyart.club/rEf9VJuYlrzh/6934?ndn=ch1
   2. bumcapale.site/itBijexW4tbTS9g8xadln/3276?param_2=6934
   3. operateextremelyswiftsoftware.icu/ztqvfI7dezj3gbC3YoH5Y_zIsFAxcXiBNPSK8NeX69I?clck=12819_11387_31571234720101895&sid=s33371587

I'll post the answer myself if I'm able to debug my router or check if ISP is injecting scripts. Please suggest if you know of tools to debug source of this adscript.

Update:- (2)

After browsing for articles related to the ISP in question (BSNL), found plenty of questions in SE and a reddit thread.

Reddit thread

https://www.reddit.com/r/IndiaSpeaks/comments/a9nsoz/bsnl_is_not_injecting_the_ads_into_our_http/

Related

https://security.stackexchange.com/questions/157828/my-isp-bsnl-india-is-injecting-ads-using-phozeca-which-spoils-websites-and-mak

Blocking the ISP's ads appearing after a possible DNS grab and redirect via port 53?

ISP is inserting ads into web pages

Answer 1

The problem is likely ingrained in your Firefox profile. Start Firefox with a blank profile: create a directory and start Firefox with:

firefox --profile $directory

If that instance of Firefox looks clean then the profile hypothesis gets some traction.

In which case the best course of action is to rename your standard profile, let Firefox create a new one, and copy over a few things (saved login/passwords, bookmarks etc...).

If you want to play detective, start Firefox with the compromised profile and look for a proxy or some unknown add-on (preferably in a VM).

Answer 2

This is a general issue with non-encrypted webpages. They can be modified in transit by your ISP, or any other server in between you and the website. You should consider the following:

• Using a VPN to stop your ISP snooping on your browsing habits and modifying the contents of web pages.
• Using an extension like HTTPS Everywhere to ensure you're using HTTPS on all websites that support it (and you can even disable non-secure connections entirely)
• Telling the administrator of the website to reconfigure their servers to only serve over HTTPS. This can be done with HSTS and 301 permanent redirects. Every website admin should be enforcing this, given the world we now live in.