An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
apmebf.com
#13527 01/01/11 11:49 PM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
I got curious about a recurring cookie, apmebf.com, and did a bit of research, and Google turned up What is Cookie Apmebf.

A bit alarmed, I cleared my unnecessary cookies, quit and relaunched Safari, opened up my bookmarked pages one at a time, and discovered that the cookie materializes when, after logging out of PayPal, I'm redirected to PayPal Shopping, so I notified PayPal that they're spreading this malware either knowingly or unknowingly.

More importantly, though, do I have anything to worry about even though I clear the cookie as soon as I find it? (I'm not entirely clear about what it actually does.)

Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13528 01/02/11 01:25 AM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Thanks for the caution.

I've used PayPal a fair amount over the past six or seven weeks, so I checked my drive. I seem to be clean.

ryck


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: apmebf.com
artie505 #13529 01/02/11 02:00 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
I checked my cookies in both Safari and Firefox and found 2 for each.


...JER (-: >
Re: apmebf.com
artie505 #13531 01/02/11 03:52 AM
Joined: Aug 2009
Likes: 5
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 5
Artie,

This appears to be a legacy topic that is directed primarily at Windows users. I saw no mention of it affecting the MacOS in the manner that was described for Windows......doesn't mean that it doesn't, just that it wasn't getting comments from the Mac community.

FWIW, your link is dated information tracing back to April 2005 and was last updated in May of 2006. A deeper Google search was not any more informative for recent hits.

I found a pair of Apmebf cookies when I searched in my Safari repository and removed same, but have not noted any observable adverse or unusual affects prior to removing them.....I'll report back if they recur.


Freedom is never free....thank a Service member today.
Re: apmebf.com
ryck #13533 01/02/11 04:37 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Originally Posted By: ryck
Thanks for the caution.

I've used PayPal a fair amount over the past six or seven weeks, so I checked my drive. I seem to be clean.

ryck

It's PayPal Shopping that's spawning the cookie, ryck, so if you either don't get redirected from PP's logout page to PPS or close the logout page before the redirect begins you don't get the cookie.

And, on the other hand, living in Canada, you may be dealing with a different entity than the one with which I'm dealing.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
MacManiac #13534 01/02/11 04:46 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Originally Posted By: MacManiac
Artie,

This appears to be a legacy topic that is directed primarily at Windows users. I saw no mention of it affecting the MacOS in the manner that was described for Windows......doesn't mean that it doesn't, just that it wasn't getting comments from the Mac community.

FWIW, your link is dated information tracing back to April 2005 and was last updated in May of 2006. A deeper Google search was not any more informative for recent hits.

I found a pair of Apmebf cookies when I searched in my Safari repository and removed same, but have not noted any observable adverse or unusual affects prior to removing them.....I'll report back if they recur.

I, too, didn't find anything that indicated that this was a Mac issue, nor have I noticed any unusual behavior (which is not to say that something's not just slipping by me) but cookies are so generic that concern seems warranted.

And as for apmefb.com's "antiquity," which I also noted... From where has it been resurrected, and why is PayPal spreading it?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13535 01/02/11 06:17 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: artie505
I got curious about a recurring cookie, apmebf.com, and did a bit of research, and Google turned up What is Cookie Apmebf.


The page linked to says:
Quote:
Apmebf prevents access from programs to websites of several companies related with security tools (antivirus programs, firewalls, etc.).

Apmebf redirects attempts to access web pages of certain banks to spoofed pages, with the aim of logging information entered by the user in these pages.

Apmebf redirects attempts to access several web pages to a specific IP address.

Excuse me, but how is it possible for a cookie to do any of those things? This sounds like scareware, as in "Panda security is so good we protect you from this evil that no one else is bothering to protect you from."

They may as well claim that Apmebf will cause acne or make the sun wink out of existence, for all the reasonableness of their warning.

Re: apmebf.com
ganbustein #13536 01/02/11 09:26 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Hmmm... It did cross my mind that this thing seemed to have pretty miraculous capabilities, but I wrote my doubts off to my own lack of knowledge.

I just did some additional searching, though, and found Google Safe Browsing diagnostic page for apmebf.com (Recent: 2010-11-13) and Apmebf.com is an online advertising & affiliate marketing company, both of which indicate that the cookie is at least some degree of malicious if not as insidious as Panda claims it is.

Edit: Y'know... Considering PayPal's less than savory past it wouldn't surprise me in the least to find that they've partnered with a "shady" organization. Let's see if they respond to my e-mail.

Last edited by artie505; 01/02/11 09:53 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13555 01/05/11 08:25 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
And respond they did...

My e-mail to them:
Quote:
'I've just discovered that when I log out of my
PayPal account and am redirected to PayPal Shopping a new cookie,
apmebf.com, which is malware, appears in my cookie file. (See
<http://www.pandasecurity.com/homeusers/security-info/#####/Apmebf>)

And their response:

Quote:
Thank you for sending us this information. We’ll review it and contact
you by email if we need to learn more. In the future, please forward
suspicious emails to spoof@paypal.com.

Is my writing that unclear? (Edit: Rhetorical question)

(I wonder whether tacit's not posting to this thread can be taken as a sign that the issue is nothing to be worried about?)

Last edited by artie505; 01/05/11 10:37 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13578 01/06/11 10:48 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
FWIW I use PayPal all the time on three different systems and there is no sign of the Apmebf cookie on any of them which would lead me to question PayPal as the source of your cookie. Perhaps a third party site you purchased something on and paid using PayPal rather than PayPal itself.

I found some other references to Apmebf which is variously referred to as spyware or a cookie and the consensus seems to be that it is a relatively low level threat. There are also some removal tools available, but the ones I found are PC Windows only. Apparently from the web sources the cookie is persistent and not easy to get rid of.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: apmebf.com
joemikeb #13582 01/06/11 11:30 PM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Quote:
FWIW I use PayPal all the time on three different systems and there is no sign of the Apmebf cookie on any of them which would lead me to question PayPal as the source of your cookie. Perhaps a third party site you purchased something on and paid using PayPal rather than PayPal itself.

I've recreated that cookie numerous times while observing both my Safari page and cookie list in Expose, and there's no question about its source; I log out of PayPal, the next page tells me that I'll be redirected to PayPal Shopping in 5 seconds, and immediately preceding the appearance of the PPS page the cookie appears. (Just did it again...no purchase involved...just checking my credit card balance.)

In my experience, though, the cookie is easily removable (I use Safari Cookies.) and non-recurring...not at all persistent.

Edit: I, too, didn't find anything that indicates that the cookie is more than a low level threat, but neither did I find anything that told me what it actually does.

Last edited by artie505; 01/06/11 11:37 PM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13587 01/07/11 02:10 AM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
It is just curious to me that you get the cookie and I don't when using PayPal. How would you explain that?


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: apmebf.com
joemikeb #13597 01/07/11 09:23 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Originally Posted By: joemikeb
It is just curious to me that you get the cookie and I don't when using PayPal. How would you explain that?

Hmmm... I know you to be thorough, so I assume you followed the steps I outlined, and I'm as mystified as you are.

I hope other users who, like myself, have found that cookie will also followed those steps and report back.

In the meantime, though, since you've kinda thrown down the gauntlet I've done some experimentation:
  1. I disabled my Safari Extensions...same results.
  2. I launched Firefox and logged in and out of PayPal...same results.
  3. I logged in to my test user account...same results. (Note that any time I log in to that account I trash and recreate it immediately upon logging back in to my boot account to maintain its pristininity.)
  4. I booted into my Leopard volume and tried the experiment in Safari/Version 3.2.3 (5525.28.3), but the redirect was different, taking me to <http://adfarm.mediaplex.com/ad/ck/3484-114004-8030-68> - tab heading: invis.gif 1x1 pixels - (which is what I remember always happening in Leopard and which I assume was a compatibility issue that's since been resolved.), with no cookie appearing. (Edit: Note, however, that when I click on that link in Safari/Version 5.0.3 (6533.19.4) the cookie appears.)
I'll be happy to do any further experimentation that you think may be useful.

Last edited by artie505; 01/07/11 11:16 AM. Reason: Edit: and cleanup

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
joemikeb #13600 01/07/11 12:52 PM
Joined: Aug 2009
Likes: 5
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 5
FWIW, having removed the two cookies I reported on earlier in this thread, and having NOT visited PayPal since that time I discovered two more cookies when I just looked today......removed same again.

Still no indications of nefarious or suspicious actions, however, it seems interesting to see them recur.


Freedom is never free....thank a Service member today.
Re: apmebf.com
artie505 #13601 01/07/11 01:04 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
I just thought of one possibility. I have a family account on OpenDNS which provides Malware/Botnet protection and ad ad blocking among its services. I don't have logging turned on, so I cannot verify this, but it occurs to me that OpenDNS could easily be blocking the cookie.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: apmebf.com
MacManiac #13602 01/07/11 01:13 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Originally Posted By: MacManiac
Still no indications of nefarious or suspicious actions, however, it seems interesting to see them recur.

When I was searching for information on this, whatever it is, I found at least a couple of threads from PC users reporting the same kind of recurrence/persistence.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: apmebf.com
joemikeb #13606 01/07/11 09:46 PM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
I'm going to abort that redirect from now on and see if the cookie reappears; the nasty thing about any reappearance, though, will be that I won't know for sure whether I'm dealing with persistence or a second source.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13617 01/08/11 07:30 AM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: artie505
I'm going to abort that redirect from now on and see if the cookie reappears; the nasty thing about any reappearance, though, will be that I won't know for sure whether I'm dealing with persistence or a second source.

We discussed Flash cookies in the Lounge a while back. I'm not sure how, but there may be ways to store info there and use it to regenerate deleted cookies.

As alluded to in another Lounge post, you should definitely check out the contents of these folders as well:

~/Library/Safari/LocalStorage/
~/Library/Safari/Databases/





Re: apmebf.com
Hal Itosis #13618 01/08/11 08:39 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Thanks, but all of that is under control.

I keep track of Flash cookies (and, by the way, apmebf is not a Flash cookie) and databases with Safari Cookies (Local Storage is included in databases.), and I also have my Flash settings bookmarked so I can easily keep track of what's going on with them.

In combination, the two avenues give me excellent control over whatever garbage who/what is d/l'ing onto my deuced Mac(hina).

And as for regenerating cookies, right now I'm playing the waiting game to see whether that's even an issue (in my instance, anyhow).

Edit: If you're suggesting that the Flash pref pane may have some control over apmebf, I've never found any indication that that's so.

Last edited by artie505; 01/08/11 08:41 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13624 01/08/11 06:35 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: artie505
I keep track of Flash cookies (and, by the way, apmebf is not a Flash cookie)

Btw, i didn't say that it was.


Originally Posted By: artie505
Edit: If you're suggesting that the Flash pref pane may have some control over apmebf, I've never found any indication that that's so.

No, i'm suggesting that "developers" have found ways to employ Flash cookies which Adobe never initially intended (well, presumably anyway)... and therefore it won't be a feature displayed in (or managed by) that "prefPane" (or any other 3rd-party wares for that matter).

EDIT: note that there is no rule which says that any file responsible for this persistent behavior would necessarily have to have the string "apmebf" in its name, or even be visible at all. [and even if we were to grep for "apmebf" inside a file, it might be stored there in some encoded form, so it wouldn't turn up. That's precisely the sort of "precautions" those (expletives) would use.]

Last edited by Hal Itosis; 01/08/11 06:57 PM.
Re: apmebf.com
Hal Itosis #13626 01/08/11 07:57 PM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
Originally Posted By: Hal Itosis
Originally Posted By: artie505
I keep track of Flash cookies (and, by the way, apmebf is not a Flash cookie)

Btw, i didn't say that it was.

Since you didn't mention having found the cookie, and since it wasn't entirely clear whether your post was on or off-topic, clarification was in order.

Originally Posted By: Hal Itosis
Originally Posted By: artie505
Edit: If you're suggesting that the Flash pref pane may have some control over apmebf, I've never found any indication that that's so.

No, i'm suggesting that "developers" have found ways to employ Flash cookies which Adobe never initially intended (well, presumably anyway)... and therefore it won't be a feature displayed in (or managed by) that "prefPane" (or any other 3rd-party wares for that matter).

When I said that apmebf's not a Flash cookie I meant that Safari Cookies doesn't identify it as one; I have no idea how to tell a Flash cookie from a regular one, and, if I'm following you, neither, in some instances, has Safari Cookies.

Originally Posted By: Hal Itosis
EDIT: note that there is no rule which says that any file responsible for this persistent behavior would necessarily have to have the string "apmebf" in its name, or even be visible at all. [and even if we were to grep for "apmebf" inside a file, it might be stored there in some encoded form, so it wouldn't turn up. That's precisely the sort of "precautions" those (expletives) would use.]

It never occurred to me to search for a file that might be at the root of apmebf's persistence if, in fact, it is persistent on my deuced Mac(hina), but I did, and I didn't find an obvious one.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13630 01/09/11 01:17 AM
Joined: Sep 2009
Offline

Joined: Sep 2009
TBH, I'd never heard of apmebf until this thread. There's no sign of it on any of the Macs to which I have access [neither as part of a file's name, nor the content of any file, nor as any cookie (flash or non-flash).]

It's also possible for websites to store their own info about us (and/or our MAC/router addresses) perhaps. Just curious, do any cookies (of any variety) in your cupboard sport the name omniture?

EDIT; actually, im not sure if tracking sites like omniture (or 2o7.net whatever) even need to leave cookie crumbs. Do you use Little Snitch by any chance... or do any domain blocking via /etc/hosts?

Last edited by Hal Itosis; 01/09/11 01:29 AM.
Re: apmebf.com
Hal Itosis #13632 01/09/11 04:54 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
> Just curious, do any cookies (of any variety) in your cupboard sport the name omniture?

No, nor do I remember having ever seen the name, but when I look at my cookies I look at the domain column, not the name column; I'll keep an eye peeled.

> actually, im not sure if tracking sites like omniture (or 2o7.net whatever) even need to leave cookie crumbs. Do you use Little Snitch by any chance... or do any domain blocking via /etc/hosts?

I use Little Snitch, and I used /etc/hosts at one time, but I don't think I'm using it now; you tell me...

Code:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost 
fe80::1%lo0	localhost
127.0.0.1 madstage.com.com

(I have seen 2o7.net any number of times (Edit: although, now that I think about it, not recently)...never knew what it was, but I never got curious about it as I did with apmebf.)

Edit 2: I just found What is 2o7.net Tracking Cookie? All You Need To Know which says that turning off 3rd party cookies stops 2o7.net, but my recollection is that I've always had it turned off and saw those cookies all the same.

Last edited by artie505; 01/09/11 05:07 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
Hal Itosis #13634 01/09/11 09:26 AM
Joined: Aug 2009
Likes: 15
OP Online

Joined: Aug 2009
Likes: 15
> TBH, I'd never heard of apmebf until this thread.

Did you happen to look at Apmebf.com is an online advertising & affiliate marketing company?

As I said to ganbustein a week ago: "Y'know... Considering PayPal's less than savory past it wouldn't surprise me in the least to find that they've partnered with a "shady" organization. Let's see if they respond to my e-mail."

They haven't responded in substance yet, nor do I expect them to.

But shouldn't that cookie be blocked by the "3rd party" option?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: apmebf.com
artie505 #13635 01/09/11 04:38 PM
Joined: Sep 2009
Offline

Joined: Sep 2009
Originally Posted By: artie505
I used /etc/hosts at one time, but I don't think I'm using it now; you tell me...
Code:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost 
fe80::1%lo0	localhost
127.0.0.1 madstage.com.com

Looks like part of the fix for slow-loading MacFixIt Archive pages is still there (last line). Details are given in a Lounge sticky.

Page 1 of 2 1 2

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.049s Queries: 65 (0.035s) Memory: 0.7177 MB (Peak: 0.9059 MB) Data Comp: Zlib Server Time: 2024-03-28 18:09:19 UTC
Valid HTML 5 and Valid CSS