twitch.tv trojan

renzoku

Anyone else get a Windows Security warning for a trojan when visiting or refreshing any twitch.tv page...?

Happens for me even on a clean standalone install of Vivaldi.

Not sure if it's a Vivaldi or Windows 10 problem.

Pesala

@renzoku No such warning here in the Stable version, nor in the latest Snapshot.

I recommend running Malwarebytes.

Catweazle

@renzoku , no problems here, also VT nor URLvoid don't show anything suspect.
2 possibilites
A false positive > update the Defender
or some existing hijacker malware which redirect your URL > Scan wit MalwareBytes, or better with the Panda Cloud Cleaner (100% free).

Pathduck

My guess is it's a scam popup, trying to get you to call a number and they will try to trick you out of your money. Whatever you do, don't call that number or download anything that popup leads you to.

It would be interesting to see a screenshot of that popup.

Most likely it's triggered by allowed notifications/service workers from some shady site. No idea why it would only popup on Twitch. A really shady extension could cause it as well.

Check:
chrome://settings/content/notifications
If any sites are allowed to send notifications

Check:
vivaldi://serviceworker-internals
If any SWs are registered from sites you don't recognise.

Open extensions page in Vivaldi and examine your extensions. Take a screenshot of the page and share here.
https://help.vivaldi.com/desktop/appearance-customization/extensions/

Pathduck

Did some more digging, found this:
https://www.reddit.com/r/Twitch/comments/i7ezey/twitchtc_computer_virus/

Apparently, a small typo is all it takes. No idea why Twitch doesn't take some legal action against this nasty scam, or even buy out the domain...

Note the redirected URL, faking bluescreen in the background. It would probably try to force the browser into full-screen, thankfully modern browsers won't allow that.

If you click "Allow" it will put the site into full-screen. It's even got spoken audio and hides your mouse cursor - no wonder people get tricked!

╭──────────────────────────╮
│ ASN lookup for twitch.tc │
╰──────────────────────────╯
- Resolving "twitch.tc"... 1 IP address found:

 103.224.182.253 ┌PTR lb-182-253.above.com
                 ├ASN 133618 (TRELLIAN-AS-AP Trellian Pty. Limited, AU)
                 ├ORG Trellian Pty. Limited
                 ├NET 103.224.182.0/23 (TRELLIAN-AU)
                 ├ABU [email protected]
                 ├ROA ✓ UNKNOWN (no ROAs found)
                 ├TYP  Proxy host   Hosting/DC
                 ├GEO Beaumaris, Victoria (AU)
                 ├CPE [APP: apache:http_server:2.4.38]
                 ├POR Open ports: 80, 443, 9009
                 ├CVE  39 VULNERABILITIES FOUND  (check https://internetdb.shodan.io/103.224.182.253)
                 └REP ✓ NONE

This server then does a lot of redirects to the domain ondigitalocean.app where the actual scam site is hosted.

Note: You won't get "infected" by simply visiting the site, but never, ever call the number or download anything from such a site.

This is the kind of site that makes Youtubers like Jim Browning famous

CrashKZ

I had this issue last night. Every time I refreshed one particular twitch channel, Windows would notify me that it detected a virus or something.