An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Peculiar Dialogue Box
#12549 10/26/10 10:58 AM
Joined: Aug 2009
Likes: 14
ryck Offline OP
OP Offline

Joined: Aug 2009
Likes: 14
I searched (Google) for Egyptian hieroglyphics and the result included four "Images for hieroglyphics". When I clicked on one of the images I got a dialogue box that looked like a Safari dialogue, even including the Safari Compass. The dialogue had this address and text:

http://915.grandesaver24.com

AV8 has found suspicious activity on your pc and will perform some action on your pc


There was a small second box with a radio button to authorize the action.

The dialogue didn't sound like what I would expect from a ClamXav caution, and I thought it curious that a "Safari" dialogue box would refer to my machine as a "pc", so I simply closed Safari. I have not gone to the link.

When I reopened, the box did not re-appear. As a safety measure I did a ClamXav scan which didn't return anything of concern.

Anyone have any idea what this might have been?

ryck

Last edited by ryck; 10/26/10 11:01 AM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Peculiar Dialogue Box
ryck #12550 10/26/10 02:26 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Hmmm... I did the same search, and clicking on the lefthand image got me a pop-up with dialog identical to yours but with a different URL.

I quit and relaunched Safari, and now clicking on the same image begins to show me something that immediately morphs into a Google search page.

Got me beat.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Peculiar Dialogue Box
ryck #12554 10/26/10 03:50 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Just looks like a javascript alert. Nothing to really be concerned about. The site just has some redirect code on it to try to trick users into thinking they have a problem. When I click I was forwarded to an exact replica of Windows Update's web page that was faking a virus scan and was find all of theses viruses. Neat trick since I'm on a Mac.


iMac 2.7 GHz Core i5, 12 GB RAM, OS X 10.9, Int SATA 1 TB, Ext Fire 2 TB / 1 TB / 1 TB / 500 GB / 300 GB
Former MacFixIt Forums member since 11/17/99
www.rhubarbproductions.com
Re: Peculiar Dialogue Box
ryck #12560 10/26/10 10:09 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
This is an extremely common trick, I'm surprised you've never seen it before. It's part of a scheme to install viruses on Windows computers. Here's how the scheme works:

Eastern European organized crime sets up Web sites. These sites exist only to download computer malware onto Windows PCs. There are, at any given time, tens of thousands of these sites in operation; as quickly as they get shut down, another one pops up.

The sites are then stuffed full of popular Google keywords. There are many ways to do this. They keep track of trending search terms; they scan sites like BoingBoing and Digg and Reddit looking for popular topics; they read blogs and news sites looking for events or subjects that people are talking about.

The virus sites are given extremely high Google page position. One of the most important factors in how high a site ranks on Google is how many other sites link to it. So the organized crime groups that do this give their virus sites high page rank by using automatic tools that scan through the Web looking for insecure, vulnerable WordPress, Joomla, Drupal, phpBB, and similar popular software. When they find a site running an insecure version of one of these bits of software, they automatically hack it and fill it with links to the virus site.

Now that the site that spreads the viruses is stuffed with popular keywords and has a high Google rank, they wait. Someone does a search on Google, like you did. The Google results show the virus sites. You click on the link in Google.

As soon as you arrive on the virus site, it pops up a phony alert that says something like "Your antivirus software has found suspicious activity" or "Your computer is infected with a virus and will now be scanned." You click OK. You see a phony image of what looks like oyur Windows antivirus scanner. It shows you a progress bar, then it says "Warning! You are infected with a virus. Click here to download and install antivirus software to remove the virus."

People who believe the phony warning download the software (which is, of course actually a virus) and become infected.

Security firm Panda Labs says that his scheme brings in about $15 million a *month* for Russian organized crime. Lots and lots of people fall for it.

The site you went to, 915.grandesaver24.com, is a computer virus downloader. It is currently offline.

I generally run into about fifteen or twenty of these sites a month.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Peculiar Dialogue Box
tacit #12563 10/26/10 10:49 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks for that; I figured the link was to a virus d/l site, but the PC reference suggested that it was benign as respects Macs. (The Safari icon was confusing until I remembered that there's now a Safari for Windows.)


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Peculiar Dialogue Box
artie505 #12565 10/27/10 12:12 AM
Joined: Aug 2009
Likes: 3
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 3

Quote:
(The Safari icon was confusing until I remembered that there's now a Safari for Windows.)

If I'm understanding this correctly, the Safari icon you saw was provided by your own Safari.app, which was displaying, as Kevin mentioned above, an alert invoked by javascript in the source code on the page in question. You can see a similar alert by copying the following code, pasting it into Safari's address bar, and hitting Enter or Return:

javascript:alert("AV8 has found suspicious activity on your pc and will perform some action on your pc")

Had you perused the page in FIrefox instead, the icon accompanying the alert would've been a black exclamation point inside a yellow triangle.



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: Peculiar Dialogue Box
dkmarsh #12566 10/27/10 12:44 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Aaah... I see; thanks for the explanation.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Peculiar Dialogue Box
artie505 #12577 10/28/10 01:36 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
If you had been using a Windows OS, you would now be truly screwed. Since you were using a Mac, your concern at this stage is sufficient.

The general rule of thumb is to always suspect ANY website that wants to "help you" clean anything from your computer. And if they can't even get the OS correct, displaying Windows based alerts, dialogs, or progress windows, simpley go away from there.

Last edited by Sturner; 10/28/10 01:37 PM.

There are 3 kinds of people, those who can count, and those who can't.
Re: Peculiar Dialogue Box
Sturner #12581 10/28/10 07:17 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
> If you had been using a Windows OS, you would now be truly screwed.

Did I somehow give you the impression that I clicked on the link?

Just reread... Sorry if I gave you the wrong impression; I didn't click the link.

Last edited by artie505; 10/28/10 07:33 PM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Peculiar Dialogue Box
ryck #12582 10/28/10 08:40 PM
Joined: Aug 2009
Likes: 1
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 1
Originally Posted By: ryck
The dialogue didn't sound like what I would expect from a ClamXav caution, and I thought it curious that a "Safari" dialogue box would refer to my machine as a "pc", so I simply closed Safari. I have not gone to the link.ryck

Interesting. When I tried this shortly after you posted this a couple of days ago, I also got the dialog box plus the option to 'authorize the action'. However, I could not just 'close' Safari, as none of its windows was responsive other than the one with the action button, and I wasn't going to go that route. Even clicking on the desktop didn't bring the Finder to the front. A Force Quit of Safari got me out of there.

I don't know how typical this experience is, but my point is that if the only working option seems to be clicking a button on a dialog box (instead of invoking a force quit), the unwary may be tempted that way.


alternaut moderator
Re: Peculiar Dialogue Box
Sturner #12583 10/28/10 08:50 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: Sturner
If you had been using a Windows OS, you would now be truly screwed. Since you were using a Mac, your concern at this stage is sufficient.


THIS time you would have been safe. Do NOT assume that all the malware out there is Windows-only. There is plenty of Macintosh malware for them to install, and since your browser conveniently tells them what OS you're running, any black hat with an ounce of savvy will know to send you something that will infect you, even on a Mac.

Your only defense is to not grant permission to install their software. If you grant permission, even OS X will defer to your superior(?) judgement.

Re: Peculiar Dialogue Box
ganbustein #12589 10/28/10 11:26 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
> "your browser conveniently tells them what OS you're running"

How does it do that?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Peculiar Dialogue Box
artie505 #12591 10/29/10 12:30 AM
Joined: Aug 2009
Likes: 3
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 3

A web server typically requests that the client provide a user agent string, which includes information about the platform, OS version, and (browser or other) software being used to interpret the content delivered by the server. This allows the server to tailor that content to the specific client. (If you check out Safari's Develop menu, you'll notice a User Agent submenu, which allows your browser to "spoof" a different browser.)

To see what information you're currently providing, visit Whats My User Agent? (For a surprisingly clear explanation, look at Micrsoft's Understanding User-Agent Strings.)



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: Peculiar Dialogue Box
dkmarsh #12592 10/29/10 01:11 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks.

I was aware of spoofing, but not that all that other info is delivered along with your browser ID.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Peculiar Dialogue Box
artie505 #12594 10/29/10 10:18 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
It's actually kind of fascinating how much information your browser sends to the Web host each time it requests a page. The browser, the browser version, the operating system, your IP address, the type of processor (Intel or PowerPC), the type of device (in the case of a mobile device like an iPhone), what level of security your browser is capable of, the language you're using, whether your browser can accept compressed data, whether your browser will accept cookies, and the version of WebKit you have installed on your computer are all sent automatically.

The headers will also include information about whether or not you are going through a proxy, (often) what your IP is in cases where you are using a proxy, what page you were on if you followed a link to get to the new page, what keywords you used (if the page you were on was a search engine), and whether or not you used the Refresh button on your browser to reload the page.

Mobile browsers also send a "user agent profile," which includes the size of the device's screen, the languages and character sets it supports, the type of device, the model of device, the device manufacturer, and whether or not the device can display multimedia.

On top of that, a page can use JavaScript, Java, ActiveX controls, or other techniques to send to the server the size of the window you are using, what browser plug-ins you have installed (and what versions they are), what fonts you have installed, what your time zone is set to, and what your monitor settings are.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: Peculiar Dialogue Box
tacit #12595 10/29/10 10:30 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
All I can say is wow! But's that's with the understanding that much of the info sent is "necessary" to produce the best browsing experience.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Peculiar Dialogue Box
ryck #12600 10/29/10 06:20 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Generally here we refer to this as "scareware". This includes web pages that try to scare you into downloading something nasty by forging an OS warning, or that once they have infected your computer start to bombard you with popups to encourage you to purchase their software tools to 'fix your problem'.


I work for the Department of Redundancy Department

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.040s Queries: 48 (0.032s) Memory: 0.6620 MB (Peak: 0.7855 MB) Data Comp: Zlib Server Time: 2024-03-28 19:58:47 UTC
Valid HTML 5 and Valid CSS