On-line experience yesterday
|
|
OP
Joined: Aug 2009
|
I don't think I need to be that concerned, but thought I'd run it past you guys anyway. Yesterday I was on line, checking out the words on Spike Milligan's gravestone "I told you I was ill". I put those into Google and among the results were a row of pictures. (Or it could have been "Spike Milligan's gravestone" - either Google search yields a row of images) Clicking on one of those images, this happened: Another window opened on my Mac, with something doing a "scan" of my Mac, with very rapid numbers and red bars growing sideways. The "scan" window alleged that I had multiple viruses, Trojan Horses, bugs, and other evil things all over my system. I did not believe any of it, and tried to close the new window. I was offered "cancel" or "continue" or something like that, but neither of them closed the window OR stopped the "scanning". In the end I had to quit Firefox to make it shut up. Having done that, I found it had downloaded two zip files to my desktop. I put the zip files into Trash, then did a "secure empty trash" instead of just empty trash. Am I right in assuming this scanning window which popped up was itself a bug/virus/evil thing; that the zip files were also bugs/viruses; that doing secure-empty-trash was the correct action; and that there are no such bugs/viruses/worms/Trojan Horses for Macs anyway? Mac OS X Tiger Firefox Never use social networking sites such as Facebook/Twitter, ever. I've added that clue because I've since found this: http://www.loopinsight.com/2010/10/27/securemac-discovers-mac-os-x-trojan-horse/Many thanks
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
You're right. This is a scam, and the same thing has happened to me, albeit without the downloaded .zip files. In my case, it was with Safari and I had to quit Safari in order to stop it. It pays to be vigilant. Read Crimeware Kit Emerges for Mac OS X.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: On-line experience yesterday
|
|
Joined: Aug 2009
|
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Please? What's that supposed to mean, roger?
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: On-line experience yesterday
|
|
OP
Joined: Aug 2009
|
Thanks Jon, but the link you posted seems to indicate that it's not a scam but an "attack tool", and why should clicking on a photo bring it up?
Er, do I need to do anything? Thanks
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 3
Moderator
|
Moderator
Joined: Aug 2009
Likes: 3 |
Please?
What's that supposed to mean, roger? I suspect it's meant along the lines of "aw, c'mon," "give me break," "for the love of Mike," "good grief," etc.
dkmarsh—member, FineTunedMac Co-op Board of Directors
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 14
|
Joined: Aug 2009
Likes: 14 |
Clicking on one of those images, this happened: I'm betting it's similar, or perhaps the same, as the event in this thread. It's worth reading. ryck
Last edited by ryck; 05/04/11 05:56 PM. Reason: Grammar
ryck
"What Were Once Vices Are Now Habits" The Doobie Brothers
iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4 OS Ventura 13.6.3 Canon Pixma TR 8520 Printer Epson Perfection V500 Photo Scanner c/w VueScan software TM on 1TB LaCie USB-C
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Please?
What's that supposed to mean, roger? I suspect it's meant along the lines of "aw, c'mon," "give me break," "for the love of Mike," "good grief," etc. Rhetorical question!
Last edited by artie505; 05/04/11 05:56 PM. Reason: Add quote
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: On-line experience yesterday
|
|
OP
Joined: Aug 2009
|
I've read that thread, ryck, and it's fascinating, exactly what happened to me. Thank for the link to that thread and all the comments therein.
However I'm still somewhat concerned about something which I'll put in the next reply.
|
|
Re: On-line experience yesterday
|
|
OP
Joined: Aug 2009
|
Jon's link https://threatpost.com/en_us/blogs/crimeware-kit-emerges-mac-os-x-050211refers to this "The kit is being sold under the name Weyland-Yutani BOT and it is the first of its kind to hit the Mac OS platform." My blood ran cold. That is the username of a particularly vicious and very computer-savvy person I encountered a few years ago on the net. It is possible that this person created this, or, it could be a grotesque coincidence. Further down that link it says this "...also invest in a reasonable anti-malware suite. Installing a real anti-malware package is also a good idea...." Please advise - anyone. Thanks
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 7
|
Joined: Aug 2009
Likes: 7 |
I'm not saying that my link is related to your recent experience; I'm just giving a heads up.
Jon
macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Being inordinately daring (read stupid), I Googled both your terms and clicked on every image, and...nada, zip, zero, zilch. They're both such off-the-wall search terms that somebody's targeting them seems highly unlikely. I dunno.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: On-line experience yesterday
|
|
OP
Joined: Aug 2009
|
You do not believe me? Why not? Here is the relevant section from my history yesterday: As you can see it results from a google search for "spike-milligan-i-told-you-i-was-ill" Google Image Result for http://www.filehurricane.com/photos/8312007111817AM_3084439_d847e23ae7.jpgFast Windows Antivirus 2011 http://antivirus-worm-2011.ce.ms/fast-scan2/in.cgi http://dblidubo.cz.cc/in.cgi?2&seoref=http%3A%2F%2Fwww.google.co.uk%2Fimgres%3Fimgurl%3Dhttp%3A%2F %2Fwww.filehurricane.com%2Fphotos%2F8312007111817AM_3084439_d847e23ae7.jpg%26imgrefurl%3Dhttp%3A%2F%2Ffilar.co %2Fspike-milligan-i-told-you-i-was-ill%26h%3D375%26w%3D500%26sz%3D137%26tbnid%3DFLkfDamUdjXVFM%3A%26tbnh %3D98%26tbnw%3D130%26prev%3D%2Fsearch%253Fq%253Dspike%252Bmilligan%2527s%252Bgravestone%2526tbm%253Disch %2526tbo%253Du%26zoom%3D1%26q%3Dspike%2Bmilligan%2527s%2Bgravestone%26hl%3Den%26usg %3D__EPbtqp34PhKiv0vZ866eqFi96TE%3D%26sa%3DX%26ei%3DfTPATf3cLYuz8QOOiIHCBQ%26ved%3D0CCkQ9QEwBA¶meter= $keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Ffilar.co%2Fspike-milligan-i-told-you-i-was-ill&default_keyword =default
Last edited by alternaut; 05/04/11 09:47 PM. Reason: Inserted spaces in URL to undo window stretching.
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
I didn't say that I didn't believe you, merely that neither of the search terms you posted - Yesterday I was on line, checking out the words on Spike Milligan's gravestone "I told you I was ill". [....] (Or it could have been "Spike Milligan's gravestone" - [....]) - generated the same results for me as they did for you.
When I entered the correct search term you just posted I got your pop-up and immediately force-quit Safari. (But, as I said, it's a pretty odd search term to target.)
Note that the pop-up I got mentions both "Windows Security" and "your PC," which is pretty damning.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
This is a common attack vector frequently used by Russian organized crime; I see it often and have been tracking the people responsible for years.
Essentially, the scam works by opening a browser window that shows a phony "virus scan" in progress, then displays fake warnings of non-existant viruses and downloads a zip file or an executable which will supposedly "fix" the infections. People who are duped into running the download, naturally, become infected.
There are many techniques used to route traffic to the phony virus scan pages, but the most common involves creating Web sites, either on servers living in Eastern Europe or on legitimate Web servers that have been hacked, which are designed to trap Google traffic.
The Russian organized crime figures who do this will create Web pages loaded with common Google search terms. Often, these pages scan Google's list of most popular search terms automatically, then automatically generate gibberish that contains those search terms.
The fake pages full of gibberish get very, very high Google ranking because the organized criminals link to them from thousands or even tens of thousands of other Web sites. Often, these links are from comments in blogs and online forums.
Anyway, the sites are stuffed full of keywords that are popular on Google. When you click onto the site from a Google search, it redirects you to the bogus "virus scan" site that downloads the malware.
A relatively new way to trap unwary users is to create a Web site that is full of pictures that contain ALT tags stuffed with Google keywords. The pages full of pictures look at the "signatures" of incoming traffic. If they see a Google spider, they serve up the pictures. If they see a browser, they redirect to the phony "virus scan" site.
So when you do a Google image search, some of the images you see will be bogus. When you click on them, instead of being taken to the picture, you will be redirected to the malware site.
I have been working on tracking these guys for a number of years. It's difficult to do anything about them, because invariably the people responsible are Russian and thus outside the reach of US law, but it's relatively easy to get their malware sites shut down. (It's a bit like playing whack-a-mole, because for each site that's shut down they put up a new one, but at least it slows them down a bit.)
If you can remember the address of the site you saw, please contact me offlist at tacitr (at) aol (dot) com. I'd like to look into it and, if possible, shut it down.
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
I can't get to the phony image again; did somebody beat you to the punch?
Edit: I don't know whether this is helpful, or even of interest, but I think the URL ended with .cz.ce
Edit 2: I just noticed that the images returned by a "Google" search have a "Report Images" button; I guess someone clicked on it.
Last edited by artie505; 05/06/11 02:46 AM.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: On-line experience yesterday
|
|
Joined: Aug 2009
|
THIS is what they generally look like, for those of you that haven't seen them before. (that url is to a static picture of the "scan" in progress. The actual thing puts on quite a show, looks like it's scanning your C drive (my what?) and finding all sorts of bad things, and of course has a solution for sale. And pretty much no matter what you click, it finds a way to get your browser to download the .exe to your desktop.
I work for the Department of Redundancy Department
|
|
Re: On-line experience yesterday
|
|
Joined: Aug 2009
|
A few days ago, while I was browsing my emails in Hotmail, my Safari browser window suddenly changed to this scareware attack. And, immediately, a .zip file began downloading, which I canceled. The list of files in the upper central part of the window was constantly changing, appearing to scroll, and the two numbers in red circles next to "Desktop" and "Applications" kept changing. When I closed the browser window containing the scareware attack, no other windows were open, so it actually supplanted my Hotmail window, rather than being a second window popping up. For better or worse, I didn't allow the .zip file to fully download, so I can't forward it to anyone for analysis. Unfortunately, I can't say what, if any, action on my part caused this window to appear. In Hotmail I never click on anything but the arrows that advance me to the next email, or the "Reply", "New message" or "Delete" buttons. Is it possible that a hacker could have gotten past any security measures and planted some code on MSN's Hotmail pages? Or could it have been contained in one of the ads on the page and just responded to my cursor moving over it? It's interesting to note that this attack is targeted to Macs (note the Mac Finder-like sidebar and the name "Apple security center"). Since I don't have folders labeled "work" or "Dropbox", it was immediately clear that it had nothing to do with my actual system. Interesting, yes, and a bit scary.
MacBook Pro, 2.66 Ghz Intel Core i7, 4GB RAM, 500 GB HD, OSX 10.6.8
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
> It's interesting to note that this attack is targeted to Macs (note the Mac Finder-like sidebar and the name "Apple security center").
Note, also, that it's illiterate...a dead giveaway: "To help protect your computer, Apple Web Security have detected Trojans and ready to remove them."
It is interesting, though, that it's targeting Macs; I hope this isn't the start of a trend.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 1
|
Joined: Aug 2009
Likes: 1 |
The bad guys (namely, the Russian Zlob gang) have been paying attention to Macs intermittently off and on for some time. As far back as four years or so ago, I found some fate Windows antivirus sites which would look at the browser user-agent and download the OS X version of the RSplugin/DNSchanger malware if they saw a Mac browser, and a Windows malware package if they saw a Windows browser. The fake scareware sites still looked like Windows antivirus scans, but it shows they were at least thinking about Macs.
The thing they still haven't done, and something that Russian organized crime has offered a reward for if anyone figures out how to do it, is to install malware without an administrator password. On Windows this sturns out to be pretty easy to do, but after considerable effort, organized crime still hasn't managed to do it on the Mac yet.
A lot of folks claim that Windows is overrun with malware and Macs aren't because Windows is more popular. The reality, of course, is that the Mac really is a harder nut to crack; figuring out how to install malware on Macs would be really profitable, but that damn "can't make it work without an administrator password" bit is kind of a buzz-kill.
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
Thanks, tacit; your posts on these matters (in particular) are always fascinating. > [...] figuring out how to install malware on Macs would be really profitable, but that damn "can't make it work without an administrator password" bit is kind of a buzz-kill.Well... That's reassuring, even if only for the moment, and I hope it's for longer than that.
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
Re: On-line experience yesterday
|
Joined: Aug 2009
Likes: 15
|
Joined: Aug 2009
Likes: 15 |
The new Great Equalizer is the SEND button.
In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
|
|
|
|