An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 1 of 2 1 2 >
Topic Options
#13527 - 01/01/11 03:49 PM apmebf.com
artie505 Online


Registered: 08/04/09
I got curious about a recurring cookie, apmebf.com, and did a bit of research, and Google turned up What is Cookie Apmebf.

A bit alarmed, I cleared my unnecessary cookies, quit and relaunched Safari, opened up my bookmarked pages one at a time, and discovered that the cookie materializes when, after logging out of PayPal, I'm redirected to PayPal Shopping, so I notified PayPal that they're spreading this malware either knowingly or unknowingly.

More importantly, though, do I have anything to worry about even though I clear the cookie as soon as I find it? (I'm not entirely clear about what it actually does.)

Thanks.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13528 - 01/01/11 05:25 PM Re: apmebf.com [Re: artie505]
ryck Offline


Registered: 08/04/09
Loc: Okanagan Valley
Thanks for the caution.

I've used PayPal a fair amount over the past six or seven weeks, so I checked my drive. I seem to be clean.

ryck
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS High Sierra 10.13.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 320GB OWC Mercury OTG Pro
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#13529 - 01/01/11 06:00 PM Re: apmebf.com [Re: artie505]
...JER Offline


Registered: 08/04/09
I checked my cookies in both Safari and Firefox and found 2 for each.
_________________________
...JER (-: >

Top
#13531 - 01/01/11 07:52 PM Re: apmebf.com [Re: artie505]
MacManiac Offline

Moderator

Registered: 08/04/09
Loc: Paradise....on the central Ore...
Artie,

This appears to be a legacy topic that is directed primarily at Windows users. I saw no mention of it affecting the MacOS in the manner that was described for Windows......doesn't mean that it doesn't, just that it wasn't getting comments from the Mac community.

FWIW, your link is dated information tracing back to April 2005 and was last updated in May of 2006. A deeper Google search was not any more informative for recent hits.

I found a pair of Apmebf cookies when I searched in my Safari repository and removed same, but have not noted any observable adverse or unusual affects prior to removing them.....I'll report back if they recur.
_________________________
Freedom is never free....thank a Service member today.

Top
#13533 - 01/01/11 08:37 PM Re: apmebf.com [Re: ryck]
artie505 Online


Registered: 08/04/09
Originally Posted By: ryck
Thanks for the caution.

I've used PayPal a fair amount over the past six or seven weeks, so I checked my drive. I seem to be clean.

ryck

It's PayPal Shopping that's spawning the cookie, ryck, so if you either don't get redirected from PP's logout page to PPS or close the logout page before the redirect begins you don't get the cookie.

And, on the other hand, living in Canada, you may be dealing with a different entity than the one with which I'm dealing.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13534 - 01/01/11 08:46 PM Re: apmebf.com [Re: MacManiac]
artie505 Online


Registered: 08/04/09
Originally Posted By: MacManiac
Artie,

This appears to be a legacy topic that is directed primarily at Windows users. I saw no mention of it affecting the MacOS in the manner that was described for Windows......doesn't mean that it doesn't, just that it wasn't getting comments from the Mac community.

FWIW, your link is dated information tracing back to April 2005 and was last updated in May of 2006. A deeper Google search was not any more informative for recent hits.

I found a pair of Apmebf cookies when I searched in my Safari repository and removed same, but have not noted any observable adverse or unusual affects prior to removing them.....I'll report back if they recur.

I, too, didn't find anything that indicated that this was a Mac issue, nor have I noticed any unusual behavior (which is not to say that something's not just slipping by me) but cookies are so generic that concern seems warranted.

And as for apmefb.com's "antiquity," which I also noted... From where has it been resurrected, and why is PayPal spreading it?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13535 - 01/01/11 10:17 PM Re: apmebf.com [Re: artie505]
ganbustein Offline


Registered: 08/04/09
Originally Posted By: artie505
I got curious about a recurring cookie, apmebf.com, and did a bit of research, and Google turned up What is Cookie Apmebf.


The page linked to says:
Quote:
Apmebf prevents access from programs to websites of several companies related with security tools (antivirus programs, firewalls, etc.).

Apmebf redirects attempts to access web pages of certain banks to spoofed pages, with the aim of logging information entered by the user in these pages.

Apmebf redirects attempts to access several web pages to a specific IP address.

Excuse me, but how is it possible for a cookie to do any of those things? This sounds like scareware, as in "Panda security is so good we protect you from this evil that no one else is bothering to protect you from."

They may as well claim that Apmebf will cause acne or make the sun wink out of existence, for all the reasonableness of their warning.

Top
#13536 - 01/02/11 01:26 AM Re: apmebf.com [Re: ganbustein]
artie505 Online


Registered: 08/04/09
Hmmm... It did cross my mind that this thing seemed to have pretty miraculous capabilities, but I wrote my doubts off to my own lack of knowledge.

I just did some additional searching, though, and found Google Safe Browsing diagnostic page for apmebf.com (Recent: 2010-11-13) and Apmebf.com is an online advertising & affiliate marketing company, both of which indicate that the cookie is at least some degree of malicious if not as insidious as Panda claims it is.

Edit: Y'know... Considering PayPal's less than savory past it wouldn't surprise me in the least to find that they've partnered with a "shady" organization. Let's see if they respond to my e-mail.


Edited by artie505 (01/02/11 01:53 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13555 - 01/05/11 12:25 AM Re: apmebf.com [Re: artie505]
artie505 Online


Registered: 08/04/09
And respond they did...

My e-mail to them:
Quote:
'I've just discovered that when I log out of my
PayPal account and am redirected to PayPal Shopping a new cookie,
apmebf.com, which is malware, appears in my cookie file. (See
<http://www.pandasecurity.com/homeusers/security-info/#####/Apmebf>)

And their response:

Quote:
Thank you for sending us this information. We’ll review it and contact
you by email if we need to learn more. In the future, please forward
suspicious emails to spoof@paypal.com.

Is my writing that unclear? (Edit: Rhetorical question)

(I wonder whether tacit's not posting to this thread can be taken as a sign that the issue is nothing to be worried about?)


Edited by artie505 (01/05/11 02:37 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13578 - 01/06/11 02:48 PM Re: apmebf.com [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
FWIW I use PayPal all the time on three different systems and there is no sign of the Apmebf cookie on any of them which would lead me to question PayPal as the source of your cookie. Perhaps a third party site you purchased something on and paid using PayPal rather than PayPal itself.

I found some other references to Apmebf which is variously referred to as spyware or a cookie and the consensus seems to be that it is a relatively low level threat. There are also some removal tools available, but the ones I found are PC Windows only. Apparently from the web sources the cookie is persistent and not easy to get rid of.
_________________________
joemikeb • moderator

Top
#13582 - 01/06/11 03:30 PM Re: apmebf.com [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Quote:
FWIW I use PayPal all the time on three different systems and there is no sign of the Apmebf cookie on any of them which would lead me to question PayPal as the source of your cookie. Perhaps a third party site you purchased something on and paid using PayPal rather than PayPal itself.

I've recreated that cookie numerous times while observing both my Safari page and cookie list in Expose, and there's no question about its source; I log out of PayPal, the next page tells me that I'll be redirected to PayPal Shopping in 5 seconds, and immediately preceding the appearance of the PPS page the cookie appears. (Just did it again...no purchase involved...just checking my credit card balance.)

In my experience, though, the cookie is easily removable (I use Safari Cookies.) and non-recurring...not at all persistent.

Edit: I, too, didn't find anything that indicates that the cookie is more than a low level threat, but neither did I find anything that told me what it actually does.


Edited by artie505 (01/06/11 03:37 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13587 - 01/06/11 06:10 PM Re: apmebf.com [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
It is just curious to me that you get the cookie and I don't when using PayPal. How would you explain that?
_________________________
joemikeb • moderator

Top
#13597 - 01/07/11 01:23 AM Re: apmebf.com [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Originally Posted By: joemikeb
It is just curious to me that you get the cookie and I don't when using PayPal. How would you explain that?

Hmmm... I know you to be thorough, so I assume you followed the steps I outlined, and I'm as mystified as you are.

I hope other users who, like myself, have found that cookie will also followed those steps and report back.

In the meantime, though, since you've kinda thrown down the gauntlet I've done some experimentation:
  1. I disabled my Safari Extensions...same results.
  2. I launched Firefox and logged in and out of PayPal...same results.
  3. I logged in to my test user account...same results. (Note that any time I log in to that account I trash and recreate it immediately upon logging back in to my boot account to maintain its pristininity.)
  4. I booted into my Leopard volume and tried the experiment in Safari/Version 3.2.3 (5525.28.3), but the redirect was different, taking me to <http://adfarm.mediaplex.com/ad/ck/3484-114004-8030-68> - tab heading: invis.gif 1x1 pixels - (which is what I remember always happening in Leopard and which I assume was a compatibility issue that's since been resolved.), with no cookie appearing. (Edit: Note, however, that when I click on that link in Safari/Version 5.0.3 (6533.19.4) the cookie appears.)
I'll be happy to do any further experimentation that you think may be useful.


Edited by artie505 (01/07/11 03:16 AM)
Edit Reason: Edit: and cleanup
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13600 - 01/07/11 04:52 AM Re: apmebf.com [Re: joemikeb]
MacManiac Offline

Moderator

Registered: 08/04/09
Loc: Paradise....on the central Ore...
FWIW, having removed the two cookies I reported on earlier in this thread, and having NOT visited PayPal since that time I discovered two more cookies when I just looked today......removed same again.

Still no indications of nefarious or suspicious actions, however, it seems interesting to see them recur.
_________________________
Freedom is never free....thank a Service member today.

Top
#13601 - 01/07/11 05:04 AM Re: apmebf.com [Re: artie505]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
I just thought of one possibility. I have a family account on OpenDNS which provides Malware/Botnet protection and ad ad blocking among its services. I don't have logging turned on, so I cannot verify this, but it occurs to me that OpenDNS could easily be blocking the cookie.
_________________________
joemikeb • moderator

Top
#13602 - 01/07/11 05:13 AM Re: apmebf.com [Re: MacManiac]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Originally Posted By: MacManiac
Still no indications of nefarious or suspicious actions, however, it seems interesting to see them recur.

When I was searching for information on this, whatever it is, I found at least a couple of threads from PC users reporting the same kind of recurrence/persistence.
_________________________
joemikeb • moderator

Top
#13606 - 01/07/11 01:46 PM Re: apmebf.com [Re: joemikeb]
artie505 Online


Registered: 08/04/09
I'm going to abort that redirect from now on and see if the cookie reappears; the nasty thing about any reappearance, though, will be that I won't know for sure whether I'm dealing with persistence or a second source.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13617 - 01/07/11 11:30 PM Re: apmebf.com [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: artie505
I'm going to abort that redirect from now on and see if the cookie reappears; the nasty thing about any reappearance, though, will be that I won't know for sure whether I'm dealing with persistence or a second source.

We discussed Flash cookies in the Lounge a while back. I'm not sure how, but there may be ways to store info there and use it to regenerate deleted cookies.

As alluded to in another Lounge post, you should definitely check out the contents of these folders as well:

~/Library/Safari/LocalStorage/
~/Library/Safari/Databases/





Top
#13618 - 01/08/11 12:39 AM Re: apmebf.com [Re: Hal Itosis]
artie505 Online


Registered: 08/04/09
Thanks, but all of that is under control.

I keep track of Flash cookies (and, by the way, apmebf is not a Flash cookie) and databases with Safari Cookies (Local Storage is included in databases.), and I also have my Flash settings bookmarked so I can easily keep track of what's going on with them.

In combination, the two avenues give me excellent control over whatever garbage who/what is d/l'ing onto my deuced Mac(hina).

And as for regenerating cookies, right now I'm playing the waiting game to see whether that's even an issue (in my instance, anyhow).

Edit: If you're suggesting that the Flash pref pane may have some control over apmebf, I've never found any indication that that's so.


Edited by artie505 (01/08/11 12:41 AM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13624 - 01/08/11 10:35 AM Re: apmebf.com [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: artie505
I keep track of Flash cookies (and, by the way, apmebf is not a Flash cookie)

Btw, i didn't say that it was.


Originally Posted By: artie505
Edit: If you're suggesting that the Flash pref pane may have some control over apmebf, I've never found any indication that that's so.

No, i'm suggesting that "developers" have found ways to employ Flash cookies which Adobe never initially intended (well, presumably anyway)... and therefore it won't be a feature displayed in (or managed by) that "prefPane" (or any other 3rd-party wares for that matter).

EDIT: note that there is no rule which says that any file responsible for this persistent behavior would necessarily have to have the string "apmebf" in its name, or even be visible at all. [and even if we were to grep for "apmebf" inside a file, it might be stored there in some encoded form, so it wouldn't turn up. That's precisely the sort of "precautions" those (expletives) would use.]


Edited by Hal Itosis (01/08/11 10:57 AM)

Top
#13626 - 01/08/11 11:57 AM Re: apmebf.com [Re: Hal Itosis]
artie505 Online


Registered: 08/04/09
Originally Posted By: Hal Itosis
Originally Posted By: artie505
I keep track of Flash cookies (and, by the way, apmebf is not a Flash cookie)

Btw, i didn't say that it was.

Since you didn't mention having found the cookie, and since it wasn't entirely clear whether your post was on or off-topic, clarification was in order.

Originally Posted By: Hal Itosis
Originally Posted By: artie505
Edit: If you're suggesting that the Flash pref pane may have some control over apmebf, I've never found any indication that that's so.

No, i'm suggesting that "developers" have found ways to employ Flash cookies which Adobe never initially intended (well, presumably anyway)... and therefore it won't be a feature displayed in (or managed by) that "prefPane" (or any other 3rd-party wares for that matter).

When I said that apmebf's not a Flash cookie I meant that Safari Cookies doesn't identify it as one; I have no idea how to tell a Flash cookie from a regular one, and, if I'm following you, neither, in some instances, has Safari Cookies.

Originally Posted By: Hal Itosis
EDIT: note that there is no rule which says that any file responsible for this persistent behavior would necessarily have to have the string "apmebf" in its name, or even be visible at all. [and even if we were to grep for "apmebf" inside a file, it might be stored there in some encoded form, so it wouldn't turn up. That's precisely the sort of "precautions" those (expletives) would use.]

It never occurred to me to search for a file that might be at the root of apmebf's persistence if, in fact, it is persistent on my deuced Mac(hina), but I did, and I didn't find an obvious one.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13630 - 01/08/11 05:17 PM Re: apmebf.com [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
TBH, I'd never heard of apmebf until this thread. There's no sign of it on any of the Macs to which I have access [neither as part of a file's name, nor the content of any file, nor as any cookie (flash or non-flash).]

It's also possible for websites to store their own info about us (and/or our MAC/router addresses) perhaps. Just curious, do any cookies (of any variety) in your cupboard sport the name omniture?

EDIT; actually, im not sure if tracking sites like omniture (or 2o7.net whatever) even need to leave cookie crumbs. Do you use Little Snitch by any chance... or do any domain blocking via /etc/hosts?


Edited by Hal Itosis (01/08/11 05:29 PM)

Top
#13632 - 01/08/11 08:54 PM Re: apmebf.com [Re: Hal Itosis]
artie505 Online


Registered: 08/04/09
> Just curious, do any cookies (of any variety) in your cupboard sport the name omniture?

No, nor do I remember having ever seen the name, but when I look at my cookies I look at the domain column, not the name column; I'll keep an eye peeled.

> actually, im not sure if tracking sites like omniture (or 2o7.net whatever) even need to leave cookie crumbs. Do you use Little Snitch by any chance... or do any domain blocking via /etc/hosts?

I use Little Snitch, and I used /etc/hosts at one time, but I don't think I'm using it now; you tell me...

Code:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost 
fe80::1%lo0	localhost
127.0.0.1 madstage.com.com

(I have seen 2o7.net any number of times (Edit: although, now that I think about it, not recently)...never knew what it was, but I never got curious about it as I did with apmebf.)

Edit 2: I just found What is 2o7.net Tracking Cookie? All You Need To Know which says that turning off 3rd party cookies stops 2o7.net, but my recollection is that I've always had it turned off and saw those cookies all the same.


Edited by artie505 (01/08/11 09:07 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13634 - 01/09/11 01:26 AM Re: apmebf.com [Re: Hal Itosis]
artie505 Online


Registered: 08/04/09
> TBH, I'd never heard of apmebf until this thread.

Did you happen to look at Apmebf.com is an online advertising & affiliate marketing company?

As I said to ganbustein a week ago: "Y'know... Considering PayPal's less than savory past it wouldn't surprise me in the least to find that they've partnered with a "shady" organization. Let's see if they respond to my e-mail."

They haven't responded in substance yet, nor do I expect them to.

But shouldn't that cookie be blocked by the "3rd party" option?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#13635 - 01/09/11 08:38 AM Re: apmebf.com [Re: artie505]
Hal Itosis Offline


Registered: 09/03/09
Loc: 10.6.8 (build 10K549)
Originally Posted By: artie505
I used /etc/hosts at one time, but I don't think I'm using it now; you tell me...
Code:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost 
fe80::1%lo0	localhost
127.0.0.1 madstage.com.com

Looks like part of the fix for slow-loading MacFixIt Archive pages is still there (last line). Details are given in a Lounge sticky.

Top
Page 1 of 2 1 2 >

Moderator:  alternaut, dianne, MacManiac