IT’S GEEK TO ME: Suspicious browser behavior could indicate it’s been hijacked

Question: Using the Edge browser with no home page specified. It comes up with multiple (pages and pages) of stories to click on. When I click on one, a new tab is created, the selected page comes up for a few seconds, then a blank page comes up and just sits there. Nothing on the page, just white space. The page address is “[REDACTED]” with more characters all the way across the address bar. I have to close the new tab, go back to the original tab, then click on the story again and it comes up in a new tab and works just fine. Any idea what the xpaycdn is and better yet how do I get rid of it. Thanks.

– Bob S.

Fort Walton Beach, Florida

Answer: There is a lot of ground to cover here, Bob, as you have one main question and several implied issues for which I feel compelled to provide information.

First, the configuration of your so-called home page (a term that is largely an anachronism these days). With the creation of web portals and search engines, a personal home page is no longer necessary. The home page has morphed into the start page, which is simply any page or group of pages that you choose to display when the browser first starts up, or even when you open a new tab. What you described is Microsoft Edge’s default “new tab page.” It’s full of links that Microsoft has selected that probably generate revenue for every click. That is, until the clicks don’t take you to the linked page, as you’re currently experiencing.

I hate to say it, but the behavior that you described sounds suspiciously like the work of a malware infestation of some sort. When you click a link and your browser lands somewhere other than the expected address, that’s generally known as redirection or browser hijacking. While that may sound bad (and it generally is) there are some desirable types of redirection, such as the TinyURL links that I use here in the column to reduce the size of large, hard-to-type links for publication. When you enter or click on one of these TinyURL links, the TinyURL website redirects your browser to the original site that was associated with the shortened URL. That is normal and expected behavior, but a change of the destination for every link you click is definitely not normal.

I spent some time analyzing the link you provided. First, those “characters all the way across the address bar” that you mentioned are what uniquely identify you to this website, for whatever purpose they have. I couldn’t pretend to be you though, since I didn’t have a complete key to provide.

I have a safe sandbox where I can visit suspicious links without having to worry about whether I will catch malware from them, so I did some experiments. I managed to get the same apparently empty white screen that you did, but in examining the underlying source that the site sent to my browser, there is definitely some content there. However, the actual body of the page is non-existent, so the browser renders it as a blank page.

I did some searching on as a URL, with a focus on whether it is known to serve up malware, but could find nothing at all, which I thought rather unusual. That means either this is a legitimate site, or it hasn’t been around long enough to be detected and catalogued by the sites that do that sort of work.

What I can tell you is that the acronym CDN (part of “xpaycdn”) stands for Content Delivery Network. This is a group of geographically separated servers that each contain similar or identical content so it can be delivered faster than loading it from the Internet at-large. This may sound innocent, but there is an increasing use of CDNs to deliver malware, and this very well could be an example of that in action.

Since I can’t say with confidence exactly what’s going on with your computer, the best advice I can give you is to treat this like a malware infestation. Use programs like Malwarebytes, CCleaner, or AdAware, and scan, scan, scan until you shake something loose. I wish you luck!

To view additional content, comment on articles, or submit a question of your own, visit my website at (not .com!)