HT203987: Stop pop-up ads in Safari

Learn about Stop pop-up ads in Safari
John Zwiebel
Level 1 (49 points)
Apple TV

Q: Safari malware offers Flash Upgrade

I have the latest OS X and latest Safari installed on a macbook purchased 2 months ago.

 

When I try to access wunderground.com, after navigation there, one of several types of dialogue boxes will open that tell me that my Flash is out of date.

Trying to escape this mess, one may end up downloading several files that portend to be .dmg files that have an update to Adobe Flash.  If one mounts these disks, it is immediately obvious that these .dmg did not come from Adobe.

 

One of the web sites that this web page refers you to is: http://liveupdate.upgrade-pro.org

 

I don't suppose anyone would be surprised to discover this is in Europe.

 

I have gone to the Adobe site and ensured I've installed the latest flash.  This did not stop the pop-ups.

I turned off flash and deleted it completely according to Adobe instructions.  The pop-ups still happen.

I've tried several other "off-the-wall" ideas that I won't mention here to avoid embarrassment.

 

I have another macbook set up looking at exactly the same pages from wunderground.com.  It has not had these dialogue boxes pop up.

 

This is not the first box to show up, but note that this is a really, really old version of Flash

Screen Shot 2015-08-29 at 8.28.17 AM.png

 

This is an alternate dialogue box that might appear.  This one comes from a totally different web site

 

http://cdn.freefacet.com/lp/?appid=2297&subid=d3609d4b-10c4-4b92-be54-413d78e69e b3&c8=service.quickseas.com&btp_h=31cde2…

 

Screen Shot 2015-08-29 at 5.02.11 PM.png

 

This problem (AFAIK) only affects wunderground.com pages (which are not affected on my other computer)

 

Here is a trace route to the web site that is pushing this bogus flash on me.

 

bash-3.2$ traceroute liveupdate.upgrade-pro.org

traceroute to liveupdate.upgrade-pro.org (62.210.93.163), 64 hops max, 52 byte packets

1  10.0.1.1 (10.0.1.1)  4.267 ms  1.139 ms  1.886 ms

2  cpe-50-113-48-1.hawaii.res.rr.com (50.113.48.1)  27.453 ms  23.238 ms  10.457 ms

3  24.25.234.97 (24.25.234.97)  31.455 ms  31.439 ms  32.666 ms

4  agg29.milnhixd01r.hawaii.rr.com (72.129.45.182)  17.099 ms  20.391 ms  18.195 ms

5  agg31.lsancarc01r.socal.rr.com (72.129.45.0)  64.323 ms  63.733 ms  62.789 ms

6  bu-ether16.lsancarc0yw-bcr00.tbone.rr.com (66.109.6.102)  66.545 ms  63.616 ms  72.398 ms

7  0.ae1.pr1.lax00.tbone.rr.com (107.14.17.250)  64.161 ms

    0.ae0.pr1.lax00.tbone.rr.com (107.14.17.248)  65.878 ms  69.105 ms

8  ix-24-0.tcore1.lvw-los-angeles.as6453.net (66.110.59.81)  68.727 ms  69.074 ms  67.782 ms

9  if-3-2.tcore1.pdi-palo-alto.as6453.net (66.198.127.25)  306.654 ms  239.873 ms  305.031 ms

10  if-1-2.tcore1.nyy-new-york.as6453.net (66.198.127.6)  306.852 ms * *

11  if-3-2.thar1.njy-newark.as6453.net (66.198.70.21)  229.511 ms  532.619 ms *

12  if-4-2.tcore1.l78-london.as6453.net (80.231.130.33)  524.233 ms  476.479 ms

    if-7-2.tcore1.l78-london.as6453.net (66.198.70.26)  290.903 ms

13  if-3-6.tcore1.pye-paris.as6453.net (80.231.130.86)  482.792 ms * *

14  * * *

15  if-34-2.thar1.vi8-vitry-sur-seine.as6453.net (80.231.153.58)  329.678 ms * *

16  5.23.24.6 (5.23.24.6)  280.537 ms  306.226 ms  310.611 ms

17  * * *

18  62-210-93-163.rev.poneytelecom.eu (62.210.93.163)  343.930 ms  310.188 ms  331.720 ms

bash-3.2$

MacBook Pro with Retina display, OS X Yosemite (10.10.4), 500G Flash Drive 8Gig memory

Posted on Aug 29, 2015 8:53 PM

Close
John Zwiebel

Q: Safari malware offers Flash Upgrade

  • All replies
  • Helpful answers

  • by ckuan,

    ckuan ckuan Aug 29, 2015 9:01 PM in response to John Zwiebel
    Level 7 (33,314 points)
    Aug 29, 2015 9:01 PM in response to John Zwiebel

    The site \is compromised.

    If you need Adobe Flash player, go to Adobe.com directly.

    or on your Mac  > System Preferences.. > Flash Player > check for updates there.

    If restarting Safari you're still getting the popups. try restarting with the Shift key pressed.

  • by Klaus1,

    Klaus1 Klaus1 Aug 30, 2015 6:50 AM in response to John Zwiebel
    Level 8 (48,821 points)
    Aug 30, 2015 6:50 AM in response to John Zwiebel

    Flash Player should ONLY be installed from Adobe’s website.

     

    You can check here what version of Flash player you actually have installed:  http://kb2.adobe.com/cps/155/tn_15507.html

     

    You can check here:  http://www.adobe.com/products/flash/about/  to see which version you should install for your Mac and OS. You should first uninstall any previous version of Flash Player, using the uninstaller from here (make sure you use the correct one!):

     

    http://kb2.adobe.com/cps/909/cpsid_90906.html

     

    and also that you follow the instructions closely, such as closing ALL applications (including Safari) first before installing. It is highly recommended that you carry out a permission repair after installing anything from Adobe.

     

    After installing, reboot your Mac and relaunch Safari, then in Safari Preferences/Security enable ‘Allow Plugins’. If you are running 10.6.8 or later:

     

    When you have installed the latest version of Flash, relaunch Safari and test.

    If you're getting a "blocked plug-in" error, then in System Preferences… ▹ Flash Player ▹ Advanced

    click Check Now. Quit and relaunch your browser. More advice here:

     

    http://www.macworld.co.uk/how-to/mac-software/unblock-safari-plug-ins-on-mac-360 8065/

     

    Facebook dropping all but the very latest version of Flash:

     

    http://www.theguardian.com/technology/2015/jul/14/facebook-end-adobe-flash-firef ox-blocks-hacking

  • by John Zwiebel,

    John Zwiebel John Zwiebel Aug 30, 2015 1:47 PM in response to ckuan
    Level 1 (49 points)
    Apple TV
    Aug 30, 2015 1:47 PM in response to ckuan

    Thank you for your reply.  See my reply to Klause

  • by John Zwiebel,

    John Zwiebel John Zwiebel Aug 30, 2015 2:03 PM in response to Klaus1
    Level 1 (49 points)
    Apple TV
    Aug 30, 2015 2:03 PM in response to Klaus1

    Thank You Klaus 1:

     

    Unfortunately the information you've provided is not useful.   I do only download Flash from the Adobe site.  I did uninstall the version I had (which I recall was version 18, whatever, it was the latest version.)  I have not ever seen a "blocked plugin" message.

     

    I recall that I put two more posts on this thread which provided some additional information.  They are not here.

     

    I had removed Flash completely following the Adobe instructions which included manually deleting several files.

    I then rebooted the machine and went back to the wunderground web pages.  The malware message showed up again anyway.

     

    My computer has been off-line now for about 12 hours and I've moved from Hawaii to Fiji.  When I access the wunderground web sit now, I am NOT seeing the malware error message.

     

    IMHO the error had nothing to do with my computer, but was a hack on the CDN (content delivery networks) that were suppose to have the correct Adobe flash to download.  Like Herman Cain, "I have no facts to back this up", but it is the only thing that makes sense to me at this point since the error is no longer happening.

     

    I have yet not found it necessary to place Flash back on my computer.  I'll leave it off until something else comes up.

     

    Thanks again for your help.