Previous 1 2 Next 22 Replies Latest reply: Jun 3, 2011 3:18 AM by valerie christine
babowa Level 7 Level 7 (27,620 points)

Just  a heads up: up until now, it seemed that this would appear mostly with Safari in Hotmail or Google Images - no more.....

 

They've now expanded into Firefox in an open Yahoo Mail Inbox session.

 

I had several tabs open - one of them my Yahoo Inbox; when I went back to it to check for new mail, there it was. I had to force quite FF (twice actually). I finally yanked the power cord from my modem so I could re-open FF without the offender trying to download something. Got rid of cookies and the always-used Yahoo sign-in.


iMac, Mac OS X (10.6.7), i3 12 GB RAM | 2 LaCie d2 Quadra |
  • laverne's mom Level 2 Level 2 (395 points)

    Thank you.  I have a yahoo address for a yahoo group I belong to, but have the email forwarded to a gmail account, so I rarely go to yahoo.  Did it start downloading on its own?  Did just quitting FF not work.  I forget about force quitting so I guess I will need to review that one.  This is getting pernicious.

     

    laverne's mom

  • AussieDJ Level 4 Level 4 (1,435 points)

    Ok. That's a bit scary.

  • thomas_r. Level 7 Level 7 (30,455 points)

    First, a note to those who might not be aware of this, Apple Security Center is something displayed on the web pages from which the MacDefender trojan variants* are downloaded.

     

    Second, note that this has never been limited to Google Images and Hotmail or to Safari.  It has always been possible to reach these sites in Firefox or any other browser, and I personally encountered the malware on other sites long before now.  Google Images and Hotmail have been two of the biggest vectors, but one should not make the assumption that unasked-for redirects from any site are safe.

     

    Also, note that the extreme measures you went to to prevent Firefox from downloading anything really aren't necessary.  If the malware gets downloaded, it can't hurt you if you just throw it in the trash.  Even if the installer starts up automatically, you can just quit the installer and throw it away, and you won't be infected with anything.

     

    However, it's good to know that this has spread to Yahoo Mail.  (Well, not good, maybe...  it's useful to know.)  Users of any of the other major web-based, ad-supported e-mail systems should also be especially cautious.

     

    * Disclaimer: links to my pages may give me compensation, and should not be taken as endorsement of my services by Apple.

  • babowa Level 7 Level 7 (27,620 points)
    Was Tabnabbing involved?

     

    Truthfully, I don't know; I wasn't even looking at the address bar - I was moving the cursor from the ASC tab to my Yahoo Inbox tab (which is always the first one) and the security center page was there. The problem after that was that FF wanted to be good and re-opened the same window and I did not want it to go any further. So, since I could not do anything except either allow it to proceed or force quit, I force quit (at that point, nothing else was available - no tabs, no file menu except under FF). I then figured it wouldn't hurt to reset my modem anyway, so I yanked the powercord. I then opened FF, got the "well, this is embarrassing, but FF will try to re-open the window....." I unchecked those; I then deleted all Yahoo cookies and any others I didn't recognize; also zapped history and cache. Then I went back online and re-opened Firefox.

  • pcbjr Level 2 Level 2 (265 points)

    Just took a break from work, and went to Yahoo Games to play cards for a minute; IT popped up.

     

    Quit the page, closed Firefox and restarted. Nothing in my Sys Prefs login items; see nothing in Activity Monitor - but WOW are these guys getting sneaky.

  • babowa Level 7 Level 7 (27,620 points)
    Was Tabnabbing involved?

     

    Amendment to my first reply:

     

    Thinking about it, it could have been because:

     

    When I got the window about FF wanting to reopen with all tabs, Yahoo Mail was missing; I had the ASC, another web based email, and, in the first spot, was the offender with an IP address starting with 178.x.x

     

    I'm an idiot because I should have done a screenshot of that window, but I was so focused on getting rid of it that I didn't think about it. Since I opted not to re-open, but then quit FF the normal way, there is no way for me to retrieve that, is there? I looked but couldn't see anything under tools (the only things listed were current things, not from a previous session).

     

    The bad thing was the vicious cycle of it taking over and re-appearing even though I force quit FF while none of the usual options such as the regular FF menu bar were available - they did not even show.

  • coffeetime Level 1 Level 1 (0 points)

    I was logged into MyYahoo....just at MyYahoo page (wasn't even checking the mail) and I clicked on a news article link about Measles....I left the room, came back and another tab was open (using Firefox)-- took a screenshot (it's below).  I forced quit Firefox, then it asked me if I wanted to leave the page, and I clicked okay.....and it forced quit.  As far as I know nothing got downloaded. 

     

    screenshot.jpg

  • babowa Level 7 Level 7 (27,620 points)

    Since I failed to take a screenshot of mine (which looked pretty much like yours), would you send that as an email attachment to Yahoo? I'm not sure, but it seems to me if we were able to show them the re-direct IP address (178.x.x), they may be able to backtrace it to see which of their IP addresses got hacked/taken over/or whatever it is the crooks did. And then they could block it?

  • babowa Level 7 Level 7 (27,620 points)

    I found an email address for Yahoo and just sent them an email with a link to this thread; no idea if they can or will do something about it, but I thought it wouldn't hurt. The address I found was: security at yahoo-inc dot com.

  • coffeetime Level 1 Level 1 (0 points)

    I'll do that....what should I put in the subject heading?

  • babowa Level 7 Level 7 (27,620 points)

    How about something like "your servers are allowing users to be redirected to known malware site" - you might want to attach a copy of your screenshot...

  • etresoft Level 7 Level 7 (27,110 points)

    babowa wrote:

     

    I finally yanked the power cord from my modem so I could re-open FF without the offender trying to download something.

    There is no need to freak out. It is just a trojan. Make sure the "auto open" option is off and delete everything you don't want from your downloads folder on a regular basis.

  • babowa Level 7 Level 7 (27,620 points)

    Thanks, but I wasn't freaking - I'm simply allergic to trojans. And I wanted to see if there was a way stop it without allowing it to download. When I couldn't find a way, I decided the quickest way was to allow FF to reset, but I had to get offline; since my new modem no longer has an on/off or standby button, I yanked the cord. That is no big deal - according to Comcast, I am supposed to reset the modem about once a month or so anyway. I don't use Safari; there is no auto open option in Firefox (as far as I know - unless I missed some setting in Preferences).

Previous 1 2 Next