I got curious about a recurring cookie, apmebf.com, and did a bit of research, and Google turned up What is Cookie Apmebf.

A bit alarmed, I cleared my unnecessary cookies, quit and relaunched Safari, opened up my bookmarked pages one at a time, and discovered that the cookie materializes when, after logging out of PayPal, I'm redirected to PayPal Shopping, so I notified PayPal that they're spreading this malware either knowingly or unknowingly.

More importantly, though, do I have anything to worry about even though I clear the cookie as soon as I find it? (I'm not entirely clear about what it actually does.)

Thanks.

Thanks for the caution.

I've used PayPal a fair amount over the past six or seven weeks, so I checked my drive. I seem to be clean.

ryck

I checked my cookies in both Safari and Firefox and found 2 for each.

Artie,

This appears to be a legacy topic that is directed primarily at Windows users. I saw no mention of it affecting the MacOS in the manner that was described for Windows......doesn't mean that it doesn't, just that it wasn't getting comments from the Mac community.

FWIW, your link is dated information tracing back to April 2005 and was last updated in May of 2006. A deeper Google search was not any more informative for recent hits.

I found a pair of Apmebf cookies when I searched in my Safari repository and removed same, but have not noted any observable adverse or unusual affects prior to removing them.....I'll report back if they recur.

It's PayPal Shopping that's spawning the cookie, ryck, so if you either don't get redirected from PP's logout page to PPS or close the logout page before the redirect begins you don't get the cookie.

And, on the other hand, living in Canada, you may be dealing with a different entity than the one with which I'm dealing.

I, too, didn't find anything that indicated that this was a Mac issue, nor have I noticed any unusual behavior (which is not to say that something's not just slipping by me) but cookies are so generic that concern seems warranted.

And as for apmefb.com's "antiquity," which I also noted... From where has it been resurrected, and why is PayPal spreading it?

The page linked to says:
Excuse me, but how is it possible for a cookie to do any of those things? This sounds like scareware, as in "Panda security is so good we protect you from this evil that no one else is bothering to protect you from."

They may as well claim that Apmebf will cause acne or make the sun wink out of existence, for all the reasonableness of their warning.

Hmmm... It did cross my mind that this thing seemed to have pretty miraculous capabilities, but I wrote my doubts off to my own lack of knowledge.

I just did some additional searching, though, and found Google Safe Browsing diagnostic page for apmebf.com (Recent: 2010-11-13) and Apmebf.com is an online advertising & affiliate marketing company, both of which indicate that the cookie is at least some degree of malicious if not as insidious as Panda claims it is.

Edit: Y'know... Considering PayPal's less than savory past it wouldn't surprise me in the least to find that they've partnered with a "shady" organization. Let's see if they respond to my e-mail.

And respond they did...

My e-mail to them:

And their response:


Is my writing that unclear? (Edit: Rhetorical question)

(I wonder whether tacit's not posting to this thread can be taken as a sign that the issue is nothing to be worried about?)

FWIW I use PayPal all the time on three different systems and there is no sign of the Apmebf cookie on any of them which would lead me to question PayPal as the source of your cookie. Perhaps a third party site you purchased something on and paid using PayPal rather than PayPal itself.

I found some other references to Apmebf which is variously referred to as spyware or a cookie and the consensus seems to be that it is a relatively low level threat. There are also some removal tools available, but the ones I found are PC Windows only. Apparently from the web sources the cookie is persistent and not easy to get rid of.

I've recreated that cookie numerous times while observing both my Safari page and cookie list in Expose, and there's no question about its source; I log out of PayPal, the next page tells me that I'll be redirected to PayPal Shopping in 5 seconds, and immediately preceding the appearance of the PPS page the cookie appears. (Just did it again...no purchase involved...just checking my credit card balance.)

In my experience, though, the cookie is easily removable (I use Safari Cookies.) and non-recurring...not at all persistent.

Edit: I, too, didn't find anything that indicates that the cookie is more than a low level threat, but neither did I find anything that told me what it actually does.

It is just curious to me that you get the cookie and I don't when using PayPal. How would you explain that?

Hmmm... I know you to be thorough, so I assume you followed the steps I outlined, and I'm as mystified as you are.

I hope other users who, like myself, have found that cookie will also followed those steps and report back.

In the meantime, though, since you've kinda thrown down the gauntlet I've done some experimentation:

1. I disabled my Safari Extensions...same results.
2. I launched Firefox and logged in and out of PayPal...same results.
3. I logged in to my test user account...same results. (Note that any time I log in to that account I trash and recreate it immediately upon logging back in to my boot account to maintain its pristininity.)
4. I booted into my Leopard volume and tried the experiment in Safari/Version 3.2.3 (5525.28.3), but the redirect was different, taking me to <http://adfarm.mediaplex.com/ad/ck/3484-114004-8030-68> - tab heading: invis.gif 1x1 pixels - (which is what I remember always happening in Leopard and which I assume was a compatibility issue that's since been resolved.), with no cookie appearing. (Edit: Note, however, that when I click on that link in Safari/Version 5.0.3 (6533.19.4) the cookie appears.)

I'll be happy to do any further experimentation that you think may be useful.

FWIW, having removed the two cookies I reported on earlier in this thread, and having NOT visited PayPal since that time I discovered two more cookies when I just looked today......removed same again.

Still no indications of nefarious or suspicious actions, however, it seems interesting to see them recur.

I just thought of one possibility. I have a family account on OpenDNS which provides Malware/Botnet protection and ad ad blocking among its services. I don't have logging turned on, so I cannot verify this, but it occurs to me that OpenDNS could easily be blocking the cookie.

When I was searching for information on this, whatever it is, I found at least a couple of threads from PC users reporting the same kind of recurrence/persistence.

I'm going to abort that redirect from now on and see if the cookie reappears; the nasty thing about any reappearance, though, will be that I won't know for sure whether I'm dealing with persistence or a second source.

We discussed Flash cookies in the Lounge a while back. I'm not sure how, but there may be ways to store info there and use it to regenerate deleted cookies.

As alluded to in another Lounge post, you should definitely check out the contents of these folders as well:

~/Library/Safari/LocalStorage/
~/Library/Safari/Databases/

Thanks, but all of that is under control.

I keep track of Flash cookies (and, by the way, apmebf is not a Flash cookie) and databases with Safari Cookies (Local Storage is included in databases.), and I also have my Flash settings bookmarked so I can easily keep track of what's going on with them.

In combination, the two avenues give me excellent control over whatever garbage who/what is d/l'ing onto my deuced Mac(hina).

And as for regenerating cookies, right now I'm playing the waiting game to see whether that's even an issue (in my instance, anyhow).

Edit: If you're suggesting that the Flash pref pane may have some control over apmebf, I've never found any indication that that's so.

Btw, i didn't say that it was.



No, i'm suggesting that "developers" have found ways to employ Flash cookies which Adobe never initially intended (well, presumably anyway)... and therefore it won't be a feature displayed in (or managed by) that "prefPane" (or any other 3rd-party wares for that matter).

EDIT: note that there is no rule which says that any file responsible for this persistent behavior would necessarily have to have the string "apmebf" in its name, or even be visible at all. [and even if we were to grep for "apmebf" inside a file, it might be stored there in some encoded form, so it wouldn't turn up. That's precisely the sort of "precautions" those (expletives) would use.]

Since you didn't mention having found the cookie, and since it wasn't entirely clear whether your post was on or off-topic, clarification was in order.


When I said that apmebf's not a Flash cookie I meant that Safari Cookies doesn't identify it as one; I have no idea how to tell a Flash cookie from a regular one, and, if I'm following you, neither, in some instances, has Safari Cookies.


It never occurred to me to search for a file that might be at the root of apmebf's persistence if, in fact, it is persistent on my deuced Mac(hina), but I did, and I didn't find an obvious one.

TBH, I'd never heard of apmebf until this thread. There's no sign of it on any of the Macs to which I have access [neither as part of a file's name, nor the content of any file, nor as any cookie (flash or non-flash).]

It's also possible for websites to store their own info about us (and/or our MAC/router addresses) perhaps. Just curious, do any cookies (of any variety) in your cupboard sport the name omniture?

EDIT; actually, im not sure if tracking sites like omniture (or 2o7.net whatever) even need to leave cookie crumbs. Do you use Little Snitch by any chance... or do any domain blocking via /etc/hosts?

> Just curious, do any cookies (of any variety) in your cupboard sport the name omniture?

No, nor do I remember having ever seen the name, but when I look at my cookies I look at the domain column, not the name column; I'll keep an eye peeled.

> actually, im not sure if tracking sites like omniture (or 2o7.net whatever) even need to leave cookie crumbs. Do you use Little Snitch by any chance... or do any domain blocking via /etc/hosts?

I use Little Snitch, and I used /etc/hosts at one time, but I don't think I'm using it now; you tell me...


(I have seen 2o7.net any number of times (Edit: although, now that I think about it, not recently)...never knew what it was, but I never got curious about it as I did with apmebf.)

Edit 2: I just found What is 2o7.net Tracking Cookie? All You Need To Know which says that turning off 3rd party cookies stops 2o7.net, but my recollection is that I've always had it turned off and saw those cookies all the same.

> TBH, I'd never heard of apmebf until this thread.

Did you happen to look at Apmebf.com is an online advertising & affiliate marketing company?

As I said to ganbustein a week ago: "Y'know... Considering PayPal's less than savory past it wouldn't surprise me in the least to find that they've partnered with a "shady" organization. Let's see if they respond to my e-mail."

They haven't responded in substance yet, nor do I expect them to.

But shouldn't that cookie be blocked by the "3rd party" option?

Looks like part of the fix for slow-loading MacFixIt Archive pages is still there (last line). Details are given in a Lounge sticky.

> Looks like part of the fix for slow-loading MacFixIt Archive pages is still there (last line).

Thanks.

I remember inserting that line way before the MFIA issue reared its ugly head (and I guess I now know why I never tripped over it) in connection, I believe, with an MFIF issue, and... Wow! I'm mystified by why it's still there, because I'm running the spawn of a recent erase and install, and I have absolutely no recollection of having messed with /etc/hosts since doing it.

I'm going to try to think this one through and figure out the exact sequence of events that got me to where I am now.

Update... For the past two weeks I've been aborting PayPal's redirect to PayPal Shopping, and the apmebf.com cookie has not reappeared.

Further update... I'm not 100% certain, but I believe this began just yesterday or today: When I log out of PayPal, I'm no longer taken to a log-out page and redirected to PayPal Shopping, rather, the page to which I'm immediately taken says "Welcome to PayPal Shops," and I do not get the apmebf cookie.

I just logged out of PayPal and was in the process of being redirected to PayPal Shopping, but the redirect was aborted and I was taken to this screen instead.

I hope PayPal is not doing me that bad, but if OpenDNS thinks it is, I can certainly live without PayPal Shopping.

Even if it's an overreaction, this casts apmebf in a highly unflattering new light.

Quite bizarre... The redirect to PayPal Shopping once again works, and I'm once again seeing apmebf cookies.

It looks like OpenDNS erroneously trapped apmebf.com as a phish, probably because PayPal takes you through that site when you log out.

RE ... I'm once again seeing apmebf cookies.

Can you not set your browser to reject third-party cookies and/or block apmebf.com? I've done both with Firefox 8.

I've already got Safari set to "Block cookies: From third parties and advertisers," but neither Safari nor any of the cookie managing apps I've run across allows the blocking of individual cookies. (Thanks for the heads-up about Firefox's cookie blocking, but I like Safari, and this issue isn't serious enough to change my mind.)

And, once again, neither the redirect nor the apmebf cookie are issues...apparently some sort of holiday tracking thing.