An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#52519 - 09/25/19 11:42 AM Attempt to plant Malware
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
I got an attempt to scare me with a message that popped up on my screen when I was at a phone company site using their reverse-number-lookup function. Note: I tried to post a screenshot using IMgur but couldn't make it work.

I sent the screenshot to Apple along with the URL, which is extremely long. However, when posted on FTM, the URL turned into a vocal message link with a phony dire message, so I took it down.

I've reposted with asterisks inserted to keep it from loading a link. Does the URL tell us anything?

http://**your-mac-security-analysis.net.nzzmlrhn.**
9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz/fx/en/index.php?browser=Safari&fred=1&app=Mac%20Speedup%20Pro&hul=rs.eujmj3g.space&cep=R4T2XcXgyS5fiqD7Djv6P1cGEbFCOHJ36ydwAJ1B6kpxaCBgk1qFWKXp6LipphR-172mFFZteUbkrh-Kb3TQRGLc05s3rRrdwmFxeTuqsbao6Qi_jldJ3J0fl7pCj-Y--hp9MkVV-C_WNWv0Qy94SLHd1LZi6RPGgVZyUWHDWuUZNVxW7VTi3kmEoTK1u11jQrZGPRHLFSC2E8VdCJ4GreVloKjciQkmDM82ALILfRevfP6lgG8IIhx7QXolLSGRxqnUsatxGCWoG4lr6552NwN0aNdYVWBzre7tex5lo8dOf6XI_JmA6rnBaYWi0S53pkUZ9JOfpoq0jWhgyKo5WvPIdYkV9Wg5vMLaB4h6WJRHOt75eM7MNsljeiJ8IEJ4aG-_TfhRsbYHXrvtM5K7_PengTvKOPLYHbqUD04wmIXrruqywDG6FSKFubPOczEhGxOp-2QsDM4PID6dmJ3bnrezopWQ3WCN0oJ0GpFkaYwqlyB_GSeIZxqYYfRG7eqAAfMponuDhg3a5fe5ukhlfFLmVfnbgh4EhcQTN4zRhMoVOLut_k1BGhh6cuy4XlfQvoNDKADdZBNjGNcDYBlPoQ&_=BAoAXYu8AQFdi7wCgAGBAcAAIKQxQg1xBfvOFCTCizH3TiqoAtRIJOC-R7PB0RP6X5WgwQAgQIwGeunS07hF1BQ1Gd2n6zVncv5WQtE2rs665t9sOZTCACC1dvqpVao0aO7Vh8vvOq94OrARH3l70x2uUPldro1YBcQAECABBWn82fQAfKWAntEdwynFABBjxxLCC03tgPu5MR75d5TRwwAgTzjo_6CU14oBNsmG-q5mYJ2RyT5Hnvztiq-W4ZIpbNw#b


Edited by ryck (09/26/19 06:39 AM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#52520 - 09/25/19 02:27 PM Re: Attempt to plant Malware [Re: ryck]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Your post came out differently in the email I got notifying me of the post. You will have to scroll the code box horizontally to see the entire translation:

Code:
I got [url=<blockquote class="imgur-embed-pub" lang="en" data-id="a/fsrynF9"><a href="//imgur.com/a/fsrynF9"></a></blockquote><script async src="//s.imgur.com/min/embed.js" charset="utf-8"></script>]this attempt to scare me[/url] message pop up on my screen when at a phone company reverse-number-lookup function.


So it appears your warning message originated on Imgur. You might want to pass this along to them. I am guessing what you saw and posted was akin to a "tiny URL".

TIP: enclosing the information in code tags prevents it from executing
_________________________
joemikeb • moderator

Top
#52521 - 09/25/19 04:02 PM Re: Attempt to plant Malware [Re: joemikeb]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
The original warning definitely did not originate at Imgur. It was at a phone site where I was trying to get information on a number.

We may be mixing two different things. At Imgur I was unable to get a screenshot of the "scary" message to link to our site, so people could see it. Rather than contnue goofing around at Imgur I thought I'd just provide the URL.

The URL I posted was a whole other story. I pasted it into my dialogue here at FTM just as I would post any copied text. However, It appeared as a hot link to a "warning" site complete with audio.

I figured I shouldn't leave a link like that in our site, so I inserted the asterisks to prevent the link from working but having it show as text. I thought the text might be instructive.

Also, one other weird thing.... This thread does not display properly. I have to open it almost the full width of my screen (27" iMac) in order to see the options (Edit, Reply, Quote, Notify, Email) in the bottom right corner.....or the Logout at the top. It appears the URL text doesn't wrap. It is the only thread acting this way.


Edited by ryck (09/25/19 04:15 PM)
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#52522 - 09/25/19 04:17 PM Re: Attempt to plant Malware [Re: ryck]
artie505 Online


Registered: 08/04/09
You posted a "screen-stretching URL;" had you enclosed it in "code" tags it would have looked like this:

Code:
http://**your-mac-security-analysis.net.nzzmlrhn.**
9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz/fx/en/index.php?browser=Safari&fred=1&app=Mac%20Speedup%20Pro&hul=rs.eujmj3g.space&cep=R4T2XcXgyS5fiqD7Djv6P1cGEbFCOHJ36ydwAJ1B6kpxaCBgk1qFWKXp6LipphR-172mFFZteUbkrh-Kb3TQRGLc05s3rRrdwmFxeTuqsbao6Qi_jldJ3J0fl7pCj-Y--hp9MkVV-C_WNWv0Qy94SLHd1LZi6RPGgVZyUWHDWuUZNVxW7VTi3kmEoTK1u11jQrZGPRHLFSC2E8VdCJ4GreVloKjciQkmDM82ALILfRevfP6lgG8IIhx7QXolLSGRxqnUsatxGCWoG4lr6552NwN0aNdYVWBzre7tex5lo8dOf6XI_JmA6rnBaYWi0S53pkUZ9JOfpoq0jWhgyKo5WvPIdYkV9Wg5vMLaB4h6WJRHOt75eM7MNsljeiJ8IEJ4aG-_TfhRsbYHXrvtM5K7_PengTvKOPLYHbqUD04wmIXrruqywDG6FSKFubPOczEhGxOp-2QsDM4PID6dmJ3bnrezopWQ3WCN0oJ0GpFkaYwqlyB_GSeIZxqYYfRG7eqAAfMponuDhg3a5fe5ukhlfFLmVfnbgh4EhcQTN4zRhMoVOLut_k1BGhh6cuy4XlfQvoNDKADdZBNjGNcDYBlPoQ&_=BAoAXYu8AQFdi7wCgAGBAcAAIKQxQg1xBfvOFCTCizH3TiqoAtRIJOC-R7PB0RP6X5WgwQAgQIwGeunS07hF1BQ1Gd2n6zVncv5WQtE2rs665t9sOZTCACC1dvqpVao0aO7Vh8vvOq94OrARH3l70x2uUPldro1YBcQAECABBWn82fQAfKWAntEdwynFABBjxxLCC03tgPu5MR75d5TRwwAgTzjo_6CU14oBNsmG-q5mYJ2RyT5Hnvztiq-W4ZIpbNw#b
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#52526 - 09/26/19 01:01 PM Re: Attempt to plant Malware [Re: artie505]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: artie505
You posted a "screen-stretching URL.....

And it seemed to have affected the page even when absent. When I could still edit the post, I went back and deleted the URL in its entirety. However, the page still stretched.

Too bad the edit is closed to me....it would be interesting to see what happens if the "code" tags were put in now.

Anyway, it appears the answer to my original question, "Does the URL text tell us anything" is no.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#52556 - 10/01/19 08:44 PM Re: Attempt to plant Malware [Re: ryck]
Bob_00001 Offline


Registered: 01/03/10
Unless the start of the URL got totally mangled, the domain is not:
Code:
your-mac-security-analysis.net

as they had intended you to believe.
It is:
Code:
9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz


It is always the last two dot separated pieces of text before the first slash.
_________________________
MacBook Pro 15" (2015)
Sierra 10.12.6

Top
#52561 - 10/02/19 07:31 AM Re: Attempt to plant Malware [Re: Bob_00001]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Alright! Good to know....thanks.
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top
#52563 - 10/02/19 08:08 AM Re: Attempt to plant Malware [Re: ryck]
joemikeb Online
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
A Whois of that URL reveals the following:
Originally Posted By: Whois
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer: whois.nic.xyz

domain: XYZ

organisation: XYZ.COM LLC
address: 2121 E Tropicana Ave
address: Las Vegas
address: NV 89119
address: United States

contact: administrative
name: General Counsel
organisation: XYZ.COM LLC
address: 2121 E Tropicana Ave., STE2
address: Las Vegas
address: NV 89119
address: United States
phone: +1.7027632191
e-mail: hello@xyz.com

contact: technical
name: CTO
organisation: CentralNic
address: 35-39 Moorgate
address: London EC2R 6AR
address: United Kingdom
phone: +44.2033880600
fax-no: +44.2033880601
e-mail: tld.ops@centralnic.com

nserver: GENERATIONXYZ.NIC.XYZ 212.18.249.42 2a04:2b00:13ff:0:0:0:0:42
nserver: X.NIC.XYZ 194.169.218.42 2001:67c:13cc:0:0:0:1:42
nserver: Y.NIC.XYZ 185.24.64.42 2a04:2b00:13cc:0:0:0:1:42
nserver: Z.NIC.XYZ 212.18.248.42 2a04:2b00:13ee:0:0:0:0:42
ds-rdata: 3599 8 1 3FA3B264F45DB5F38BEDEAF1A88B76AA318C2C7F
ds-rdata: 3599 8 2 B9733869BC84C86BB59D102BA5DA6B27B2088552332A39DCD54BC4E8D66B0499

whois: whois.nic.xyz

status: ACTIVE
remarks: Registration information: http://nic.xyz

created: 2014-02-06
changed: 2019-03-18
source: IANA

# whois.nic.xyz

Domain Name: 9MGR0OCJQZLWPMMWTGDG3TL98V4K3NMRVAUQNQ.XYZ
Registry Domain ID: D130809981-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://namecheap.com
Updated Date: 2019-10-01T18:00:01.0Z
Creation Date: 2019-09-23T18:29:25.0Z
Registry Expiry Date: 2020-09-23T23:59:59.0Z
Registrar: Namecheap
Registrar IANA ID: 1068
Domain Status: serverHold https://icann.org/epp#serverHold
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: WhoisGuard, Inc.
Registrant State/Province: Panama
Registrant Country: PA
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone:
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2019-10-02T16:01:26.0Z <<<

# whois.namecheap.com

Domain name: 9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz
Registry Domain ID: D130809981-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2019-09-23T18:29:25.00Z
Registrar Registration Expiration Date: 2020-09-23T18:29:25.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: dc2d0db790f145f09569df6f6210a05c.protect@whoisguard.com
Name Server: dns1.registrar-servers.com
Name Server: dns2.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-10-02T09:01:37.50Z <<<

_________________________
joemikeb • moderator

Top
#52565 - 10/02/19 08:51 AM Re: Attempt to plant Malware [Re: joemikeb]
ryck Online


Registered: 08/04/09
Loc: Okanagan Valley
Originally Posted By: joemikeb
A Whois of that URL reveals the following:

I looked through most of the links and didn't see anything untoward....such as the threatening message that the original link had. So, between this information and the information provided by Bob_00001, do I assume that someone has been provided an internet address which is being used for a purpose other than the provider believes?
_________________________
ryck

iMac (Retina 5K, 27", 2017), 3.4 GHz Intel Core i5, 8GB RAM, 2400 MHz DDR4
OS Mojave 10.14.6
Canon MX710 Printer
Epson Perfection V500 Photo Scanner
Time Machine on 1TB LaCie USB-C
Carbon Copy Clone on 500GB OWC Mercury OTG Pro

Top

Moderator:  alternaut, dianne, MacManiac