An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#15411 - 05/04/11 09:03 AM On-line experience yesterday
Bensheim Offline


Registered: 08/16/09
Loc: UK
I don't think I need to be that concerned, but thought I'd run it past you guys anyway.

Yesterday I was on line, checking out the words on Spike Milligan's gravestone "I told you I was ill". I put those into Google and among the results were a row of pictures. (Or it could have been "Spike Milligan's gravestone" - either Google search yields a row of images)

Clicking on one of those images, this happened:

Another window opened on my Mac, with something doing a "scan" of my Mac, with very rapid numbers and red bars growing sideways. The "scan" window alleged that I had multiple viruses, Trojan Horses, bugs, and other evil things all over my system. I did not believe any of it, and tried to close the new window. I was offered "cancel" or "continue" or something like that, but neither of them closed the window OR stopped the "scanning". In the end I had to quit Firefox to make it shut up. Having done that, I found it had downloaded two zip files to my desktop.

I put the zip files into Trash, then did a "secure empty trash" instead of just empty trash.

Am I right in assuming this scanning window which popped up was itself a bug/virus/evil thing; that the zip files were also bugs/viruses; that doing secure-empty-trash was the correct action; and that there are no such bugs/viruses/worms/Trojan Horses for Macs anyway?

Mac OS X Tiger
Firefox
Never use social networking sites such as Facebook/Twitter, ever. I've added that clue because I've since found this:
http://www.loopinsight.com/2010/10/27/securemac-discovers-mac-os-x-trojan-horse/

Many thanks

Top
#15412 - 05/04/11 09:20 AM Re: On-line experience yesterday [Re: Bensheim]
jchuzi Online


Registered: 08/04/09
Loc: New York State
You're right. This is a scam, and the same thing has happened to me, albeit without the downloaded .zip files. In my case, it was with Safari and I had to quit Safari in order to stop it.

It pays to be vigilant. Read Crimeware Kit Emerges for Mac OS X.
_________________________
Jon

macOS 10.15.5, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#15413 - 05/04/11 09:20 AM Re: On-line experience yesterday [Re: Bensheim]
roger Offline


Registered: 08/04/09
Loc: Vermont
"never" use Facebook/Twitter, etc.? please....

http://arstechnica.com/apple/news/2011/0...-cc-numbers.ars
_________________________
MacBook 2.4 Ghz · 4 Gb ram · 10.7.5
stuff I'm interested in
iPhone 4s 7.0.2

Top
#15414 - 05/04/11 09:31 AM Re: On-line experience yesterday [Re: roger]
artie505 Online


Registered: 08/04/09
Originally Posted By: roger
"never" use Facebook/Twitter, etc.? please....

http://arstechnica.com/apple/news/2011/0...-cc-numbers.ars

Please?

What's that supposed to mean, roger?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15415 - 05/04/11 10:18 AM Re: On-line experience yesterday [Re: jchuzi]
Bensheim Offline


Registered: 08/16/09
Loc: UK
Thanks Jon, but the link you posted seems to indicate that it's not a scam but an "attack tool", and why should clicking on a photo bring it up?

Er, do I need to do anything? Thanks

Top
#15416 - 05/04/11 10:34 AM Re: On-line experience yesterday [Re: artie505]
dkmarsh Online
Moderator

Registered: 08/04/09

Quote:
Please?

What's that supposed to mean, roger?

I suspect it's meant along the lines of "aw, c'mon," "give me break," "for the love of Mike," "good grief," etc.
_________________________

dkmarsh • member, FineTunedMac Co-op Board of Directors

Top
#15417 - 05/04/11 10:50 AM Re: On-line experience yesterday [Re: Bensheim]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: Bensheim
Clicking on one of those images, this happened:

I'm betting it's similar, or perhaps the same, as the event in this thread. It's worth reading.

ryck


Edited by ryck (05/04/11 10:56 AM)
Edit Reason: Grammar
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#15418 - 05/04/11 10:55 AM Re: On-line experience yesterday [Re: dkmarsh]
artie505 Online


Registered: 08/04/09
Originally Posted By: dkmarsh

Quote:
Please?

What's that supposed to mean, roger?

I suspect it's meant along the lines of "aw, c'mon," "give me break," "for the love of Mike," "good grief," etc.

Rhetorical question!


Edited by artie505 (05/04/11 10:56 AM)
Edit Reason: Add quote
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15419 - 05/04/11 11:09 AM Re: On-line experience yesterday [Re: ryck]
Bensheim Offline


Registered: 08/16/09
Loc: UK
I've read that thread, ryck, and it's fascinating, exactly what happened to me. Thank for the link to that thread and all the comments therein.

However I'm still somewhat concerned about something which I'll put in the next reply.

Top
#15420 - 05/04/11 11:16 AM Re: On-line experience yesterday [Re: Bensheim]
Bensheim Offline


Registered: 08/16/09
Loc: UK
Jon's link

https://threatpost.com/en_us/blogs/crimeware-kit-emerges-mac-os-x-050211

refers to this "The kit is being sold under the name Weyland-Yutani BOT and it is the first of its kind to hit the Mac OS platform."

My blood ran cold. That is the username of a particularly vicious and very computer-savvy person I encountered a few years ago on the net. It is possible that this person created this, or, it could be a grotesque coincidence.

Further down that link it says this "...also invest in a reasonable anti-malware suite. Installing a real anti-malware package is also a good idea...."

Please advise - anyone. Thanks

Top
#15421 - 05/04/11 12:12 PM Re: On-line experience yesterday [Re: Bensheim]
jchuzi Online


Registered: 08/04/09
Loc: New York State
I'm not saying that my link is related to your recent experience; I'm just giving a heads up.
_________________________
Jon

macOS 10.15.5, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#15422 - 05/04/11 12:20 PM Re: On-line experience yesterday [Re: Bensheim]
artie505 Online


Registered: 08/04/09
Being inordinately daring (read stupid), I Googled both your terms and clicked on every image, and...nada, zip, zero, zilch. crazy

They're both such off-the-wall search terms that somebody's targeting them seems highly unlikely.

I dunno. confused
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15424 - 05/04/11 01:19 PM Re: On-line experience yesterday [Re: artie505]
Bensheim Offline


Registered: 08/16/09
Loc: UK
You do not believe me? Why not?

Here is the relevant section from my history yesterday:

As you can see it results from a google search for "spike-milligan-i-told-you-i-was-ill"

Google Image Result for http://www.filehurricane.com/photos/8312007111817AM_3084439_d847e23ae7.jpg

Fast Windows Antivirus 2011
http://antivirus-worm-2011.ce.ms/fast-scan2/

in.cgi
http://dblidubo.cz.cc/in.cgi?2&seoref=http%3A%2F%2Fwww.google.co.uk%2Fimgres%3Fimgurl%3Dhttp%3A%2F %2Fwww.filehurricane.com%2Fphotos%2F8312007111817AM_3084439_d847e23ae7.jpg%26imgrefurl%3Dhttp%3A%2F%2Ffilar.co %2Fspike-milligan-i-told-you-i-was-ill%26h%3D375%26w%3D500%26sz%3D137%26tbnid%3DFLkfDamUdjXVFM%3A%26tbnh %3D98%26tbnw%3D130%26prev%3D%2Fsearch%253Fq%253Dspike%252Bmilligan%2527s%252Bgravestone%2526tbm%253Disch %2526tbo%253Du%26zoom%3D1%26q%3Dspike%2Bmilligan%2527s%2Bgravestone%26hl%3Den%26usg %3D__EPbtqp34PhKiv0vZ866eqFi96TE%3D%26sa%3DX%26ei%3DfTPATf3cLYuz8QOOiIHCBQ%26ved%3D0CCkQ9QEwBA&parameter= $keyword&se=$se&ur=1&HTTP_REFERER=http%3A%2F%2Ffilar.co%2Fspike-milligan-i-told-you-i-was-ill&default_keyword =default


Edited by alternaut (05/04/11 02:47 PM)
Edit Reason: Inserted spaces in URL to undo window stretching.

Top
#15425 - 05/04/11 01:44 PM Re: On-line experience yesterday [Re: Bensheim]
artie505 Online


Registered: 08/04/09
I didn't say that I didn't believe you, merely that neither of the search terms you posted - Yesterday I was on line, checking out the words on Spike Milligan's gravestone "I told you I was ill". [....] (Or it could have been "Spike Milligan's gravestone" - [....]) - generated the same results for me as they did for you.

When I entered the correct search term you just posted I got your pop-up and immediately force-quit Safari. (But, as I said, it's a pretty odd search term to target.)

Note that the pop-up I got mentions both "Windows Security" and "your PC," which is pretty damning.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15432 - 05/04/11 06:32 PM Re: On-line experience yesterday [Re: Bensheim]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
This is a common attack vector frequently used by Russian organized crime; I see it often and have been tracking the people responsible for years.

Essentially, the scam works by opening a browser window that shows a phony "virus scan" in progress, then displays fake warnings of non-existant viruses and downloads a zip file or an executable which will supposedly "fix" the infections. People who are duped into running the download, naturally, become infected.

There are many techniques used to route traffic to the phony virus scan pages, but the most common involves creating Web sites, either on servers living in Eastern Europe or on legitimate Web servers that have been hacked, which are designed to trap Google traffic.

The Russian organized crime figures who do this will create Web pages loaded with common Google search terms. Often, these pages scan Google's list of most popular search terms automatically, then automatically generate gibberish that contains those search terms.

The fake pages full of gibberish get very, very high Google ranking because the organized criminals link to them from thousands or even tens of thousands of other Web sites. Often, these links are from comments in blogs and online forums.

Anyway, the sites are stuffed full of keywords that are popular on Google. When you click onto the site from a Google search, it redirects you to the bogus "virus scan" site that downloads the malware.

A relatively new way to trap unwary users is to create a Web site that is full of pictures that contain ALT tags stuffed with Google keywords. The pages full of pictures look at the "signatures" of incoming traffic. If they see a Google spider, they serve up the pictures. If they see a browser, they redirect to the phony "virus scan" site.

So when you do a Google image search, some of the images you see will be bogus. When you click on them, instead of being taken to the picture, you will be redirected to the malware site.

I have been working on tracking these guys for a number of years. It's difficult to do anything about them, because invariably the people responsible are Russian and thus outside the reach of US law, but it's relatively easy to get their malware sites shut down. (It's a bit like playing whack-a-mole, because for each site that's shut down they put up a new one, but at least it slows them down a bit.)

If you can remember the address of the site you saw, please contact me offlist at tacitr (at) aol (dot) com. I'd like to look into it and, if possible, shut it down.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#15437 - 05/05/11 03:28 PM Re: On-line experience yesterday [Re: tacit]
artie505 Online


Registered: 08/04/09
I can't get to the phony image again; did somebody beat you to the punch?

Edit: I don't know whether this is helpful, or even of interest, but I think the URL ended with .cz.ce

Edit 2: I just noticed that the images returned by a "Google" search have a "Report Images" button; I guess someone clicked on it.


Edited by artie505 (05/05/11 07:46 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15476 - 05/08/11 12:29 PM Re: On-line experience yesterday [Re: Bensheim]
Virtual1 Offline


Registered: 08/04/09
Loc: Iowa
THIS is what they generally look like, for those of you that haven't seen them before. (that url is to a static picture of the "scan" in progress. The actual thing puts on quite a show, looks like it's scanning your C drive (my what?) and finding all sorts of bad things, and of course has a solution for sale. And pretty much no matter what you click, it finds a way to get your browser to download the .exe to your desktop.
_________________________
I work for the Department of Redundancy Department

Top
#15523 - 05/10/11 02:17 PM Re: On-line experience yesterday [Re: tacit]
bob82xrp Offline


Registered: 08/04/09
Loc: Tucson
A few days ago, while I was browsing my emails in Hotmail, my Safari browser window suddenly changed to this scareware attack. And, immediately, a .zip file began downloading, which I canceled.

The list of files in the upper central part of the window was constantly changing, appearing to scroll, and the two numbers in red circles next to "Desktop" and "Applications" kept changing.

When I closed the browser window containing the scareware attack, no other windows were open, so it actually supplanted my Hotmail window, rather than being a second window popping up. For better or worse, I didn't allow the .zip file to fully download, so I can't forward it to anyone for analysis.

Unfortunately, I can't say what, if any, action on my part caused this window to appear. In Hotmail I never click on anything but the arrows that advance me to the next email, or the "Reply", "New message" or "Delete" buttons. Is it possible that a hacker could have gotten past any security measures and planted some code on MSN's Hotmail pages? Or could it have been contained in one of the ads on the page and just responded to my cursor moving over it?

It's interesting to note that this attack is targeted to Macs (note the Mac Finder-like sidebar and the name "Apple security center"). Since I don't have folders labeled "work" or "Dropbox", it was immediately clear that it had nothing to do with my actual system.

Interesting, yes, and a bit scary.
_________________________
MacBook Pro, 2.66 Ghz Intel Core i7, 4GB RAM, 500 GB HD, OSX 10.6.8

Top
#15524 - 05/10/11 02:28 PM Re: On-line experience yesterday [Re: bob82xrp]
artie505 Online


Registered: 08/04/09
> It's interesting to note that this attack is targeted to Macs (note the Mac Finder-like sidebar and the name "Apple security center").

Note, also, that it's illiterate...a dead giveaway: "To help protect your computer, Apple Web Security have detected Trojans and ready to remove them."

It is interesting, though, that it's targeting Macs; I hope this isn't the start of a trend.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15547 - 05/12/11 06:13 PM Re: On-line experience yesterday [Re: artie505]
tacit Offline


Registered: 08/03/09
Loc: Portland, Oregon, USA
The bad guys (namely, the Russian Zlob gang) have been paying attention to Macs intermittently off and on for some time. As far back as four years or so ago, I found some fate Windows antivirus sites which would look at the browser user-agent and download the OS X version of the RSplugin/DNSchanger malware if they saw a Mac browser, and a Windows malware package if they saw a Windows browser. The fake scareware sites still looked like Windows antivirus scans, but it shows they were at least thinking about Macs.

The thing they still haven't done, and something that Russian organized crime has offered a reward for if anyone figures out how to do it, is to install malware without an administrator password. On Windows this sturns out to be pretty easy to do, but after considerable effort, organized crime still hasn't managed to do it on the Mac yet.

A lot of folks claim that Windows is overrun with malware and Macs aren't because Windows is more popular. The reality, of course, is that the Mac really is a harder nut to crack; figuring out how to install malware on Macs would be really profitable, but that damn "can't make it work without an administrator password" bit is kind of a buzz-kill.
_________________________
Photo gallery, all about me, and more: www.xeromag.com/franklin.html

Top
#15549 - 05/12/11 07:24 PM Re: On-line experience yesterday [Re: tacit]
artie505 Online


Registered: 08/04/09
Thanks, tacit; your posts on these matters (in particular) are always fascinating. smile

> [...] figuring out how to install malware on Macs would be really profitable, but that damn "can't make it work without an administrator password" bit is kind of a buzz-kill.

Well... That's reassuring, even if only for the moment, and I hope it's for longer than that.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#15579 - 05/14/11 12:08 AM Re: On-line experience yesterday [Re: Bensheim]
artie505 Online


Registered: 08/04/09
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top

Moderator:  alternaut, dianne, MacManiac