An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#12549 - 10/26/10 03:58 AM Peculiar Dialogue Box
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
I searched (Google) for Egyptian hieroglyphics and the result included four "Images for hieroglyphics". When I clicked on one of the images I got a dialogue box that looked like a Safari dialogue, even including the Safari Compass. The dialogue had this address and text:

http://915.grandesaver24.com

AV8 has found suspicious activity on your pc and will perform some action on your pc


There was a small second box with a radio button to authorize the action.

The dialogue didn't sound like what I would expect from a ClamXav caution, and I thought it curious that a "Safari" dialogue box would refer to my machine as a "pc", so I simply closed Safari. I have not gone to the link.

When I reopened, the box did not re-appear. As a safety measure I did a ClamXav scan which didn't return anything of concern.

Anyone have any idea what this might have been?

ryck


Edited by ryck (10/26/10 04:01 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX712 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Super Duper on 500GB OWC Mercury OTG Pro

Top
#12550 - 10/26/10 07:26 AM Re: Peculiar Dialogue Box [Re: ryck]
artie505 Online


Registered: 08/04/09
Hmmm... I did the same search, and clicking on the lefthand image got me a pop-up with dialog identical to yours but with a different URL.

I quit and relaunched Safari, and now clicking on the same image begins to show me something that immediately morphs into a Google search page.

Got me beat.
_________________________
The new Great Equalizer is the SEND button.

Top
#12554 - 10/26/10 08:50 AM Re: Peculiar Dialogue Box [Re: ryck]
Kevin M. Dean Offline


Registered: 08/04/09
Loc: Florida
Just looks like a javascript alert. Nothing to really be concerned about. The site just has some redirect code on it to try to trick users into thinking they have a problem. When I click I was forwarded to an exact replica of Windows Update's web page that was faking a virus scan and was find all of theses viruses. Neat trick since I'm on a Mac.
_________________________
iMac 2.7 GHz Core i5, 12 GB RAM, OS X 10.9, Int SATA 1 TB, Ext Fire 2 TB / 1 TB / 1 TB / 500 GB / 300 GB
Former MacFixIt Forums member since 11/17/99
www.rhubarbproductions.com

Top
#12560 - 10/26/10 03:09 PM Re: Peculiar Dialogue Box [Re: ryck]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
This is an extremely common trick, I'm surprised you've never seen it before. It's part of a scheme to install viruses on Windows computers. Here's how the scheme works:

Eastern European organized crime sets up Web sites. These sites exist only to download computer malware onto Windows PCs. There are, at any given time, tens of thousands of these sites in operation; as quickly as they get shut down, another one pops up.

The sites are then stuffed full of popular Google keywords. There are many ways to do this. They keep track of trending search terms; they scan sites like BoingBoing and Digg and Reddit looking for popular topics; they read blogs and news sites looking for events or subjects that people are talking about.

The virus sites are given extremely high Google page position. One of the most important factors in how high a site ranks on Google is how many other sites link to it. So the organized crime groups that do this give their virus sites high page rank by using automatic tools that scan through the Web looking for insecure, vulnerable WordPress, Joomla, Drupal, phpBB, and similar popular software. When they find a site running an insecure version of one of these bits of software, they automatically hack it and fill it with links to the virus site.

Now that the site that spreads the viruses is stuffed with popular keywords and has a high Google rank, they wait. Someone does a search on Google, like you did. The Google results show the virus sites. You click on the link in Google.

As soon as you arrive on the virus site, it pops up a phony alert that says something like "Your antivirus software has found suspicious activity" or "Your computer is infected with a virus and will now be scanned." You click OK. You see a phony image of what looks like oyur Windows antivirus scanner. It shows you a progress bar, then it says "Warning! You are infected with a virus. Click here to download and install antivirus software to remove the virus."

People who believe the phony warning download the software (which is, of course actually a virus) and become infected.

Security firm Panda Labs says that his scheme brings in about $15 million a *month* for Russian organized crime. Lots and lots of people fall for it.

The site you went to, 915.grandesaver24.com, is a computer virus downloader. It is currently offline.

I generally run into about fifteen or twenty of these sites a month.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#12563 - 10/26/10 03:49 PM Re: Peculiar Dialogue Box [Re: tacit]
artie505 Online


Registered: 08/04/09
Thanks for that; I figured the link was to a virus d/l site, but the PC reference suggested that it was benign as respects Macs. (The Safari icon was confusing until I remembered that there's now a Safari for Windows.)
_________________________
The new Great Equalizer is the SEND button.

Top
#12565 - 10/26/10 05:12 PM Re: Peculiar Dialogue Box [Re: artie505]
dkmarsh Offline
Moderator

Registered: 08/04/09

Quote:
(The Safari icon was confusing until I remembered that there's now a Safari for Windows.)

If I'm understanding this correctly, the Safari icon you saw was provided by your own Safari.app, which was displaying, as Kevin mentioned above, an alert invoked by javascript in the source code on the page in question. You can see a similar alert by copying the following code, pasting it into Safari's address bar, and hitting Enter or Return:

javascript:alert("AV8 has found suspicious activity on your pc and will perform some action on your pc")

Had you perused the page in FIrefox instead, the icon accompanying the alert would've been a black exclamation point inside a yellow triangle.
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#12566 - 10/26/10 05:44 PM Re: Peculiar Dialogue Box [Re: dkmarsh]
artie505 Online


Registered: 08/04/09
Aaah... I see; thanks for the explanation.
_________________________
The new Great Equalizer is the SEND button.

Top
#12577 - 10/28/10 06:36 AM Re: Peculiar Dialogue Box [Re: artie505]
Sturner Offline


Registered: 08/04/09
Loc: Cyber Space
If you had been using a Windows OS, you would now be truly screwed. Since you were using a Mac, your concern at this stage is sufficient.

The general rule of thumb is to always suspect ANY website that wants to "help you" clean anything from your computer. And if they can't even get the OS correct, displaying Windows based alerts, dialogs, or progress windows, simpley go away from there.


Edited by Sturner (10/28/10 06:37 AM)
_________________________
There are 3 kinds of people, those who can count, and those who can't.

Top
#12581 - 10/28/10 12:17 PM Re: Peculiar Dialogue Box [Re: Sturner]
artie505 Online


Registered: 08/04/09
> If you had been using a Windows OS, you would now be truly screwed.

Did I somehow give you the impression that I clicked on the link?

Just reread... Sorry if I gave you the wrong impression; I didn't click the link.


Edited by artie505 (10/28/10 12:33 PM)
_________________________
The new Great Equalizer is the SEND button.

Top
#12582 - 10/28/10 01:40 PM Re: Peculiar Dialogue Box [Re: ryck]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: ryck
The dialogue didn't sound like what I would expect from a ClamXav caution, and I thought it curious that a "Safari" dialogue box would refer to my machine as a "pc", so I simply closed Safari. I have not gone to the link.ryck

Interesting. When I tried this shortly after you posted this a couple of days ago, I also got the dialog box plus the option to 'authorize the action'. However, I could not just 'close' Safari, as none of its windows was responsive other than the one with the action button, and I wasn't going to go that route. Even clicking on the desktop didn't bring the Finder to the front. A Force Quit of Safari got me out of there.

I don't know how typical this experience is, but my point is that if the only working option seems to be clicking a button on a dialog box (instead of invoking a force quit), the unwary may be tempted that way.
_________________________
alternaut moderator

Top
#12583 - 10/28/10 01:50 PM Re: Peculiar Dialogue Box [Re: Sturner]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: Sturner
If you had been using a Windows OS, you would now be truly screwed. Since you were using a Mac, your concern at this stage is sufficient.


THIS time you would have been safe. Do NOT assume that all the malware out there is Windows-only. There is plenty of Macintosh malware for them to install, and since your browser conveniently tells them what OS you're running, any black hat with an ounce of savvy will know to send you something that will infect you, even on a Mac.

Your only defense is to not grant permission to install their software. If you grant permission, even OS X will defer to your superior(?) judgement.

Top
#12589 - 10/28/10 04:26 PM Re: Peculiar Dialogue Box [Re: ganbustein]
artie505 Online


Registered: 08/04/09
> "your browser conveniently tells them what OS you're running"

How does it do that?
_________________________
The new Great Equalizer is the SEND button.

Top
#12591 - 10/28/10 05:30 PM Re: Peculiar Dialogue Box [Re: artie505]
dkmarsh Offline
Moderator

Registered: 08/04/09

A web server typically requests that the client provide a user agent string, which includes information about the platform, OS version, and (browser or other) software being used to interpret the content delivered by the server. This allows the server to tailor that content to the specific client. (If you check out Safari's Develop menu, you'll notice a User Agent submenu, which allows your browser to "spoof" a different browser.)

To see what information you're currently providing, visit Whats My User Agent? (For a surprisingly clear explanation, look at Micrsoft's Understanding User-Agent Strings.)
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#12592 - 10/28/10 06:11 PM Re: Peculiar Dialogue Box [Re: dkmarsh]
artie505 Online


Registered: 08/04/09
Thanks.

I was aware of spoofing, but not that all that other info is delivered along with your browser ID.
_________________________
The new Great Equalizer is the SEND button.

Top
#12594 - 10/29/10 03:18 AM Re: Peculiar Dialogue Box [Re: artie505]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
It's actually kind of fascinating how much information your browser sends to the Web host each time it requests a page. The browser, the browser version, the operating system, your IP address, the type of processor (Intel or PowerPC), the type of device (in the case of a mobile device like an iPhone), what level of security your browser is capable of, the language you're using, whether your browser can accept compressed data, whether your browser will accept cookies, and the version of WebKit you have installed on your computer are all sent automatically.

The headers will also include information about whether or not you are going through a proxy, (often) what your IP is in cases where you are using a proxy, what page you were on if you followed a link to get to the new page, what keywords you used (if the page you were on was a search engine), and whether or not you used the Refresh button on your browser to reload the page.

Mobile browsers also send a "user agent profile," which includes the size of the device's screen, the languages and character sets it supports, the type of device, the model of device, the device manufacturer, and whether or not the device can display multimedia.

On top of that, a page can use JavaScript, Java, ActiveX controls, or other techniques to send to the server the size of the window you are using, what browser plug-ins you have installed (and what versions they are), what fonts you have installed, what your time zone is set to, and what your monitor settings are.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#12595 - 10/29/10 03:30 AM Re: Peculiar Dialogue Box [Re: tacit]
artie505 Online


Registered: 08/04/09
All I can say is wow! But's that's with the understanding that much of the info sent is "necessary" to produce the best browsing experience.
_________________________
The new Great Equalizer is the SEND button.

Top
#12600 - 10/29/10 11:20 AM Re: Peculiar Dialogue Box [Re: ryck]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
Generally here we refer to this as "scareware". This includes web pages that try to scare you into downloading something nasty by forging an OS warning, or that once they have infected your computer start to bombard you with popups to encourage you to purchase their software tools to 'fix your problem'.
_________________________
I work for the Department of Redundancy Department

Top

Moderator:  alternaut, dianne, MacManiac