An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
On-line experience yesterday
#15411 05/04/11 04:03 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
I don't think I need to be that concerned, but thought I'd run it past you guys anyway.

Yesterday I was on line, checking out the words on Spike Milligan's gravestone "I told you I was ill". I put those into Google and among the results were a row of pictures. (Or it could have been "Spike Milligan's gravestone" - either Google search yields a row of images)

Clicking on one of those images, this happened:

Another window opened on my Mac, with something doing a "scan" of my Mac, with very rapid numbers and red bars growing sideways. The "scan" window alleged that I had multiple viruses, Trojan Horses, bugs, and other evil things all over my system. I did not believe any of it, and tried to close the new window. I was offered "cancel" or "continue" or something like that, but neither of them closed the window OR stopped the "scanning". In the end I had to quit Firefox to make it shut up. Having done that, I found it had downloaded two zip files to my desktop.

I put the zip files into Trash, then did a "secure empty trash" instead of just empty trash.

Am I right in assuming this scanning window which popped up was itself a bug/virus/evil thing; that the zip files were also bugs/viruses; that doing secure-empty-trash was the correct action; and that there are no such bugs/viruses/worms/Trojan Horses for Macs anyway?

Mac OS X Tiger
Firefox
Never use social networking sites such as Facebook/Twitter, ever. I've added that clue because I've since found this:
http://www.loopinsight.com/2010/10/27/securemac-discovers-mac-os-x-trojan-horse/

Many thanks

Re: On-line experience yesterday
Bensheim #15412 05/04/11 04:20 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
You're right. This is a scam, and the same thing has happened to me, albeit without the downloaded .zip files. In my case, it was with Safari and I had to quit Safari in order to stop it.

It pays to be vigilant. Read Crimeware Kit Emerges for Mac OS X.


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: On-line experience yesterday
Bensheim #15413 05/04/11 04:20 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
"never" use Facebook/Twitter, etc.? please....

http://arstechnica.com/apple/news/2011/0...-cc-numbers.ars


MacBook 2.4 Ghz · 4 Gb ram · 10.7.5
stuff I'm interested in
iPhone 4s 7.0.2
Re: On-line experience yesterday
roger #15414 05/04/11 04:31 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: roger
"never" use Facebook/Twitter, etc.? please....

http://arstechnica.com/apple/news/2011/0...-cc-numbers.ars

Please?

What's that supposed to mean, roger?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: On-line experience yesterday
jchuzi #15415 05/04/11 05:18 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Thanks Jon, but the link you posted seems to indicate that it's not a scam but an "attack tool", and why should clicking on a photo bring it up?

Er, do I need to do anything? Thanks

Re: On-line experience yesterday
artie505 #15416 05/04/11 05:34 PM
Joined: Aug 2009
Likes: 3
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 3

Quote:
Please?

What's that supposed to mean, roger?

I suspect it's meant along the lines of "aw, c'mon," "give me break," "for the love of Mike," "good grief," etc.



dkmarsh—member, FineTunedMac Co-op Board of Directors
Re: On-line experience yesterday
Bensheim #15417 05/04/11 05:50 PM
Joined: Aug 2009
Likes: 14
Offline

Joined: Aug 2009
Likes: 14
Originally Posted By: Bensheim
Clicking on one of those images, this happened:

I'm betting it's similar, or perhaps the same, as the event in this thread. It's worth reading.

ryck

Last edited by ryck; 05/04/11 05:56 PM. Reason: Grammar

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: On-line experience yesterday
dkmarsh #15418 05/04/11 05:55 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: dkmarsh

Quote:
Please?

What's that supposed to mean, roger?

I suspect it's meant along the lines of "aw, c'mon," "give me break," "for the love of Mike," "good grief," etc.

Rhetorical question!

Last edited by artie505; 05/04/11 05:56 PM. Reason: Add quote

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: On-line experience yesterday
ryck #15419 05/04/11 06:09 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
I've read that thread, ryck, and it's fascinating, exactly what happened to me. Thank for the link to that thread and all the comments therein.

However I'm still somewhat concerned about something which I'll put in the next reply.

Re: On-line experience yesterday
Bensheim #15420 05/04/11 06:16 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
Jon's link

https://threatpost.com/en_us/blogs/crimeware-kit-emerges-mac-os-x-050211

refers to this "The kit is being sold under the name Weyland-Yutani BOT and it is the first of its kind to hit the Mac OS platform."

My blood ran cold. That is the username of a particularly vicious and very computer-savvy person I encountered a few years ago on the net. It is possible that this person created this, or, it could be a grotesque coincidence.

Further down that link it says this "...also invest in a reasonable anti-malware suite. Installing a real anti-malware package is also a good idea...."

Please advise - anyone. Thanks

Re: On-line experience yesterday
Bensheim #15421 05/04/11 07:12 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
I'm not saying that my link is related to your recent experience; I'm just giving a heads up.


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: On-line experience yesterday
Bensheim #15422 05/04/11 07:20 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Being inordinately daring (read stupid), I Googled both your terms and clicked on every image, and...nada, zip, zero, zilch. crazy

They're both such off-the-wall search terms that somebody's targeting them seems highly unlikely.

I dunno. confused


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: On-line experience yesterday
artie505 #15424 05/04/11 08:19 PM
Joined: Aug 2009
OP Offline

Joined: Aug 2009
You do not believe me? Why not?

Here is the relevant section from my history yesterday:

As you can see it results from a google search for "spike-milligan-i-told-you-i-was-ill"

Google Image Result for http://www.filehurricane.com/photos/8312007111817AM_3084439_d847e23ae7.jpg

Fast Windows Antivirus 2011
http://antivirus-worm-2011.ce.ms/fast-scan2/

in.cgi
http://dblidubo.cz.cc/in.cgi?2&seoref=http%3A%2F%2Fwww.google.co.uk%2Fimgres%3Fimgurl%3Dhttp%3A%2F %2Fwww.filehurricane.com%2Fphotos%2F8312007111817AM_3084439_d847e23ae7.jpg%26imgrefurl%3Dhttp%3A%2F%2Ffilar.co %2Fspike-milligan-i-told-you-i-was-ill%26h%3D375%26w%3D500%26sz%3D137%26tbnid%3DFLkfDamUdjXVFM%3A%26tbnh %3D98%26tbnw%3D130%26prev%3D%2Fsearch%253Fq%253Dspike%252Bmilligan%2527s%252Bgravestone%2526tbm%253Disch %2526tbo%253Du%26zoom%3D1%26q%3Dspike%2Bmilligan%2527s%2Bgravestone%26hl%3Den%26usg %3D__EPbtqp34PhKiv0vZ866eqFi96TE%3D%26sa%3DX%26ei%3DfTPATf3cLYuz8QOOiIHCBQ%26ved%3D0CCkQ9QEwBA&parameter= $keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Ffilar.co%2Fspike-milligan-i-told-you-i-was-ill&default_keyword =default

Last edited by alternaut; 05/04/11 09:47 PM. Reason: Inserted spaces in URL to undo window stretching.
Re: On-line experience yesterday
Bensheim #15425 05/04/11 08:44 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I didn't say that I didn't believe you, merely that neither of the search terms you posted - Yesterday I was on line, checking out the words on Spike Milligan's gravestone "I told you I was ill". [....] (Or it could have been "Spike Milligan's gravestone" - [....]) - generated the same results for me as they did for you.

When I entered the correct search term you just posted I got your pop-up and immediately force-quit Safari. (But, as I said, it's a pretty odd search term to target.)

Note that the pop-up I got mentions both "Windows Security" and "your PC," which is pretty damning.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: On-line experience yesterday
Bensheim #15432 05/05/11 01:32 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
This is a common attack vector frequently used by Russian organized crime; I see it often and have been tracking the people responsible for years.

Essentially, the scam works by opening a browser window that shows a phony "virus scan" in progress, then displays fake warnings of non-existant viruses and downloads a zip file or an executable which will supposedly "fix" the infections. People who are duped into running the download, naturally, become infected.

There are many techniques used to route traffic to the phony virus scan pages, but the most common involves creating Web sites, either on servers living in Eastern Europe or on legitimate Web servers that have been hacked, which are designed to trap Google traffic.

The Russian organized crime figures who do this will create Web pages loaded with common Google search terms. Often, these pages scan Google's list of most popular search terms automatically, then automatically generate gibberish that contains those search terms.

The fake pages full of gibberish get very, very high Google ranking because the organized criminals link to them from thousands or even tens of thousands of other Web sites. Often, these links are from comments in blogs and online forums.

Anyway, the sites are stuffed full of keywords that are popular on Google. When you click onto the site from a Google search, it redirects you to the bogus "virus scan" site that downloads the malware.

A relatively new way to trap unwary users is to create a Web site that is full of pictures that contain ALT tags stuffed with Google keywords. The pages full of pictures look at the "signatures" of incoming traffic. If they see a Google spider, they serve up the pictures. If they see a browser, they redirect to the phony "virus scan" site.

So when you do a Google image search, some of the images you see will be bogus. When you click on them, instead of being taken to the picture, you will be redirected to the malware site.

I have been working on tracking these guys for a number of years. It's difficult to do anything about them, because invariably the people responsible are Russian and thus outside the reach of US law, but it's relatively easy to get their malware sites shut down. (It's a bit like playing whack-a-mole, because for each site that's shut down they put up a new one, but at least it slows them down a bit.)

If you can remember the address of the site you saw, please contact me offlist at tacitr (at) aol (dot) com. I'd like to look into it and, if possible, shut it down.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: On-line experience yesterday
tacit #15437 05/05/11 10:28 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I can't get to the phony image again; did somebody beat you to the punch?

Edit: I don't know whether this is helpful, or even of interest, but I think the URL ended with .cz.ce

Edit 2: I just noticed that the images returned by a "Google" search have a "Report Images" button; I guess someone clicked on it.

Last edited by artie505; 05/06/11 02:46 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: On-line experience yesterday
Bensheim #15476 05/08/11 07:29 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
THIS is what they generally look like, for those of you that haven't seen them before. (that url is to a static picture of the "scan" in progress. The actual thing puts on quite a show, looks like it's scanning your C drive (my what?) and finding all sorts of bad things, and of course has a solution for sale. And pretty much no matter what you click, it finds a way to get your browser to download the .exe to your desktop.


I work for the Department of Redundancy Department
Re: On-line experience yesterday
tacit #15523 05/10/11 09:17 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
A few days ago, while I was browsing my emails in Hotmail, my Safari browser window suddenly changed to this scareware attack. And, immediately, a .zip file began downloading, which I canceled.

The list of files in the upper central part of the window was constantly changing, appearing to scroll, and the two numbers in red circles next to "Desktop" and "Applications" kept changing.

When I closed the browser window containing the scareware attack, no other windows were open, so it actually supplanted my Hotmail window, rather than being a second window popping up. For better or worse, I didn't allow the .zip file to fully download, so I can't forward it to anyone for analysis.

Unfortunately, I can't say what, if any, action on my part caused this window to appear. In Hotmail I never click on anything but the arrows that advance me to the next email, or the "Reply", "New message" or "Delete" buttons. Is it possible that a hacker could have gotten past any security measures and planted some code on MSN's Hotmail pages? Or could it have been contained in one of the ads on the page and just responded to my cursor moving over it?

It's interesting to note that this attack is targeted to Macs (note the Mac Finder-like sidebar and the name "Apple security center"). Since I don't have folders labeled "work" or "Dropbox", it was immediately clear that it had nothing to do with my actual system.

Interesting, yes, and a bit scary.


MacBook Pro, 2.66 Ghz Intel Core i7, 4GB RAM, 500 GB HD, OSX 10.6.8
Re: On-line experience yesterday
bob82xrp #15524 05/10/11 09:28 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
> It's interesting to note that this attack is targeted to Macs (note the Mac Finder-like sidebar and the name "Apple security center").

Note, also, that it's illiterate...a dead giveaway: "To help protect your computer, Apple Web Security have detected Trojans and ready to remove them."

It is interesting, though, that it's targeting Macs; I hope this isn't the start of a trend.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: On-line experience yesterday
artie505 #15547 05/13/11 01:13 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
The bad guys (namely, the Russian Zlob gang) have been paying attention to Macs intermittently off and on for some time. As far back as four years or so ago, I found some fate Windows antivirus sites which would look at the browser user-agent and download the OS X version of the RSplugin/DNSchanger malware if they saw a Mac browser, and a Windows malware package if they saw a Windows browser. The fake scareware sites still looked like Windows antivirus scans, but it shows they were at least thinking about Macs.

The thing they still haven't done, and something that Russian organized crime has offered a reward for if anyone figures out how to do it, is to install malware without an administrator password. On Windows this sturns out to be pretty easy to do, but after considerable effort, organized crime still hasn't managed to do it on the Mac yet.

A lot of folks claim that Windows is overrun with malware and Macs aren't because Windows is more popular. The reality, of course, is that the Mac really is a harder nut to crack; figuring out how to install malware on Macs would be really profitable, but that damn "can't make it work without an administrator password" bit is kind of a buzz-kill.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: On-line experience yesterday
tacit #15549 05/13/11 02:24 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Thanks, tacit; your posts on these matters (in particular) are always fascinating. smile

> [...] figuring out how to install malware on Macs would be really profitable, but that damn "can't make it work without an administrator password" bit is kind of a buzz-kill.

Well... That's reassuring, even if only for the moment, and I hope it's for longer than that.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: On-line experience yesterday
Bensheim #15579 05/14/11 07:08 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.061s Queries: 58 (0.050s) Memory: 0.6894 MB (Peak: 0.8436 MB) Data Comp: Zlib Server Time: 2024-03-28 17:58:24 UTC
Valid HTML 5 and Valid CSS