An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Attempt to plant Malware
#52519 09/25/19 06:42 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
I got an attempt to scare me with a message that popped up on my screen when I was at a phone company site using their reverse-number-lookup function. Note: I tried to post a screenshot using IMgur but couldn't make it work.

I sent the screenshot to Apple along with the URL, which is extremely long. However, when posted on FTM, the URL turned into a vocal message link with a phony dire message, so I took it down.

I've reposted with asterisks inserted to keep it from loading a link. Does the URL tell us anything?

http://**your-mac-security-analysis.net.nzzmlrhn.**
9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz/fx/en/index.php?browser=Safari&fred=1&app=Mac%20Speedup%20Pro&hul=rs.eujmj3g.space&cep=R4T2XcXgyS5fiqD7Djv6P1cGEbFCOHJ36ydwAJ1B6kpxaCBgk1qFWKXp6LipphR-172mFFZteUbkrh-Kb3TQRGLc05s3rRrdwmFxeTuqsbao6Qi_jldJ3J0fl7pCj-Y--hp9MkVV-C_WNWv0Qy94SLHd1LZi6RPGgVZyUWHDWuUZNVxW7VTi3kmEoTK1u11jQrZGPRHLFSC2E8VdCJ4GreVloKjciQkmDM82ALILfRevfP6lgG8IIhx7QXolLSGRxqnUsatxGCWoG4lr6552NwN0aNdYVWBzre7tex5lo8dOf6XI_JmA6rnBaYWi0S53pkUZ9JOfpoq0jWhgyKo5WvPIdYkV9Wg5vMLaB4h6WJRHOt75eM7MNsljeiJ8IEJ4aG-_TfhRsbYHXrvtM5K7_PengTvKOPLYHbqUD04wmIXrruqywDG6FSKFubPOczEhGxOp-2QsDM4PID6dmJ3bnrezopWQ3WCN0oJ0GpFkaYwqlyB_GSeIZxqYYfRG7eqAAfMponuDhg3a5fe5ukhlfFLmVfnbgh4EhcQTN4zRhMoVOLut_k1BGhh6cuy4XlfQvoNDKADdZBNjGNcDYBlPoQ&_=BAoAXYu8AQFdi7wCgAGBAcAAIKQxQg1xBfvOFCTCizH3TiqoAtRIJOC-R7PB0RP6X5WgwQAgQIwGeunS07hF1BQ1Gd2n6zVncv5WQtE2rs665t9sOZTCACC1dvqpVao0aO7Vh8vvOq94OrARH3l70x2uUPldro1YBcQAECABBWn82fQAfKWAntEdwynFABBjxxLCC03tgPu5MR75d5TRwwAgTzjo_6CU14oBNsmG-q5mYJ2RyT5Hnvztiq-W4ZIpbNw#b

Last edited by ryck; 09/26/19 01:39 PM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Attempt to plant Malware
ryck #52520 09/25/19 09:27 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
Your post came out differently in the email I got notifying me of the post. You will have to scroll the code box horizontally to see the entire translation:

Code:
I got [url=<blockquote class="imgur-embed-pub" lang="en" data-id="a/fsrynF9"><a href="//imgur.com/a/fsrynF9"></a></blockquote><script async src="//s.imgur.com/min/embed.js" charset="utf-8"></script>]this attempt to scare me[/url] message pop up on my screen when at a phone company reverse-number-lookup function.


So it appears your warning message originated on Imgur. You might want to pass this along to them. I am guessing what you saw and posted was akin to a "tiny URL".

TIP: enclosing the information in code tags prevents it from executing


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Attempt to plant Malware
joemikeb #52521 09/25/19 11:02 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
The original warning definitely did not originate at Imgur. It was at a phone site where I was trying to get information on a number.

We may be mixing two different things. At Imgur I was unable to get a screenshot of the "scary" message to link to our site, so people could see it. Rather than contnue goofing around at Imgur I thought I'd just provide the URL.

The URL I posted was a whole other story. I pasted it into my dialogue here at FTM just as I would post any copied text. However, It appeared as a hot link to a "warning" site complete with audio.

I figured I shouldn't leave a link like that in our site, so I inserted the asterisks to prevent the link from working but having it show as text. I thought the text might be instructive.

Also, one other weird thing.... This thread does not display properly. I have to open it almost the full width of my screen (27" iMac) in order to see the options (Edit, Reply, Quote, Notify, Email) in the bottom right corner.....or the Logout at the top. It appears the URL text doesn't wrap. It is the only thread acting this way.

Last edited by ryck; 09/25/19 11:15 PM.

ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Attempt to plant Malware
ryck #52522 09/25/19 11:17 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
You posted a "screen-stretching URL;" had you enclosed it in "code" tags it would have looked like this:

Code:
http://**your-mac-security-analysis.net.nzzmlrhn.**
9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz/fx/en/index.php?browser=Safari&fred=1&app=Mac%20Speedup%20Pro&hul=rs.eujmj3g.space&cep=R4T2XcXgyS5fiqD7Djv6P1cGEbFCOHJ36ydwAJ1B6kpxaCBgk1qFWKXp6LipphR-172mFFZteUbkrh-Kb3TQRGLc05s3rRrdwmFxeTuqsbao6Qi_jldJ3J0fl7pCj-Y--hp9MkVV-C_WNWv0Qy94SLHd1LZi6RPGgVZyUWHDWuUZNVxW7VTi3kmEoTK1u11jQrZGPRHLFSC2E8VdCJ4GreVloKjciQkmDM82ALILfRevfP6lgG8IIhx7QXolLSGRxqnUsatxGCWoG4lr6552NwN0aNdYVWBzre7tex5lo8dOf6XI_JmA6rnBaYWi0S53pkUZ9JOfpoq0jWhgyKo5WvPIdYkV9Wg5vMLaB4h6WJRHOt75eM7MNsljeiJ8IEJ4aG-_TfhRsbYHXrvtM5K7_PengTvKOPLYHbqUD04wmIXrruqywDG6FSKFubPOczEhGxOp-2QsDM4PID6dmJ3bnrezopWQ3WCN0oJ0GpFkaYwqlyB_GSeIZxqYYfRG7eqAAfMponuDhg3a5fe5ukhlfFLmVfnbgh4EhcQTN4zRhMoVOLut_k1BGhh6cuy4XlfQvoNDKADdZBNjGNcDYBlPoQ&_=BAoAXYu8AQFdi7wCgAGBAcAAIKQxQg1xBfvOFCTCizH3TiqoAtRIJOC-R7PB0RP6X5WgwQAgQIwGeunS07hF1BQ1Gd2n6zVncv5WQtE2rs665t9sOZTCACC1dvqpVao0aO7Vh8vvOq94OrARH3l70x2uUPldro1YBcQAECABBWn82fQAfKWAntEdwynFABBjxxLCC03tgPu5MR75d5TRwwAgTzjo_6CU14oBNsmG-q5mYJ2RyT5Hnvztiq-W4ZIpbNw#b


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Attempt to plant Malware
artie505 #52526 09/26/19 08:01 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
Originally Posted By: artie505
You posted a "screen-stretching URL.....

And it seemed to have affected the page even when absent. When I could still edit the post, I went back and deleted the URL in its entirety. However, the page still stretched.

Too bad the edit is closed to me....it would be interesting to see what happens if the "code" tags were put in now.

Anyway, it appears the answer to my original question, "Does the URL text tell us anything" is no.


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Attempt to plant Malware
ryck #52556 10/02/19 03:44 AM
Joined: Jan 2010
Offline

Joined: Jan 2010
Unless the start of the URL got totally mangled, the domain is not:
Code:
your-mac-security-analysis.net

as they had intended you to believe.
It is:
Code:
9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz


It is always the last two dot separated pieces of text before the first slash.


MacBook Pro 15" (2015)
Sierra 10.12.6
Re: Attempt to plant Malware
Bob_00001 #52561 10/02/19 02:31 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
Alright! Good to know....thanks.


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C
Re: Attempt to plant Malware
ryck #52563 10/02/19 03:08 PM
Joined: Aug 2009
Likes: 16
Moderator
Online
Moderator

Joined: Aug 2009
Likes: 16
A Whois of that URL reveals the following:
Originally Posted By: Whois
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer: whois.nic.xyz

domain: XYZ

organisation: XYZ.COM LLC
address: 2121 E Tropicana Ave
address: Las Vegas
address: NV 89119
address: United States

contact: administrative
name: General Counsel
organisation: XYZ.COM LLC
address: 2121 E Tropicana Ave., STE2
address: Las Vegas
address: NV 89119
address: United States
phone: +1.7027632191
e-mail: hello@xyz.com

contact: technical
name: CTO
organisation: CentralNic
address: 35-39 Moorgate
address: London EC2R 6AR
address: United Kingdom
phone: +44.2033880600
fax-no: +44.2033880601
e-mail: tld.ops@centralnic.com

nserver: GENERATIONXYZ.NIC.XYZ 212.18.249.42 2a04:2b00:13ff:0:0:0:0:42
nserver: X.NIC.XYZ 194.169.218.42 2001:67c:13cc:0:0:0:1:42
nserver: Y.NIC.XYZ 185.24.64.42 2a04:2b00:13cc:0:0:0:1:42
nserver: Z.NIC.XYZ 212.18.248.42 2a04:2b00:13ee:0:0:0:0:42
ds-rdata: 3599 8 1 3FA3B264F45DB5F38BEDEAF1A88B76AA318C2C7F
ds-rdata: 3599 8 2 B9733869BC84C86BB59D102BA5DA6B27B2088552332A39DCD54BC4E8D66B0499

whois: whois.nic.xyz

status: ACTIVE
remarks: Registration information: http://nic.xyz

created: 2014-02-06
changed: 2019-03-18
source: IANA

# whois.nic.xyz

Domain Name: 9MGR0OCJQZLWPMMWTGDG3TL98V4K3NMRVAUQNQ.XYZ
Registry Domain ID: D130809981-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: https://namecheap.com
Updated Date: 2019-10-01T18:00:01.0Z
Creation Date: 2019-09-23T18:29:25.0Z
Registry Expiry Date: 2020-09-23T23:59:59.0Z
Registrar: Namecheap
Registrar IANA ID: 1068
Domain Status: serverHold https://icann.org/epp#serverHold
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: WhoisGuard, Inc.
Registrant State/Province: Panama
Registrant Country: PA
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: DNS1.REGISTRAR-SERVERS.COM
Name Server: DNS2.REGISTRAR-SERVERS.COM
DNSSEC: unsigned
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone:
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2019-10-02T16:01:26.0Z <<<

# whois.namecheap.com

Domain name: 9mgr0ocjqzlwpmmwtgdg3tl98v4k3nmrvauqnq.xyz
Registry Domain ID: D130809981-CNIC
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2019-09-23T18:29:25.00Z
Registrar Registration Expiration Date: 2020-09-23T18:29:25.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: WhoisGuard Protected
Registrant Organization: WhoisGuard, Inc.
Registrant Street: P.O. Box 0823-03411
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code:
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: dc2d0db790f145f09569df6f6210a05c.protect@whoisguard.com
Name Server: dns1.registrar-servers.com
Name Server: dns2.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-10-02T09:01:37.50Z <<<



If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Attempt to plant Malware
joemikeb #52565 10/02/19 03:51 PM
Joined: Aug 2009
Likes: 14
ryck Online OP
OP Online

Joined: Aug 2009
Likes: 14
Originally Posted By: joemikeb
A Whois of that URL reveals the following:

I looked through most of the links and didn't see anything untoward....such as the threatening message that the original link had. So, between this information and the information provided by Bob_00001, do I assume that someone has been provided an internet address which is being used for a purpose other than the provider believes?


ryck

"What Were Once Vices Are Now Habits" The Doobie Brothers

iMac (Retina 5K, 27", 2020), 3.8 GHz 8 Core Intel Core i7, 8GB RAM, 2667 MHz DDR4
OS Ventura 13.6.3
Canon Pixma TR 8520 Printer
Epson Perfection V500 Photo Scanner c/w VueScan software
TM on 1TB LaCie USB-C

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.029s Queries: 32 (0.021s) Memory: 0.6221 MB (Peak: 0.7180 MB) Data Comp: Zlib Server Time: 2024-03-29 01:44:21 UTC
Valid HTML 5 and Valid CSS