Ominous screen showed in Chrome

[diether]

This morning 12/13/2017 I was checking Yahoo mail, when a Warning screen and acoustic warning showed (full screen). I aborted Chrome as task, because I did not want to click the offered protection option, and after relaunching Chrome I checked the browser history, and found the latest unexspected entries as:

165.227.123.195

curationservices.com

adverrd.global.ssl.fastly.net

Does anybody know anything about those sites?

 

[David H. Lipman]

Similar to these ?

I have created a ¹series of videos generated from these fraud sites for the purposes of recognition and education.  They are all  videos from real web sites.  ALL are FRAUDS.

All these have one thing in common and they have nothing to do with any software on your PC.  They are all nefarious web sites meant to defraud you of money. The objective is to, falsely, goad you to make the phone call and pay for some service contract for an incident that never happened.  From there they may continue to charge your Credit Card for other services, remote into your computer and do real damage and/or exfiltrate your personal data and they may use the information they obtain from you to commit additional frauds.

MalwareScam.wmv
MalwareScam-1.wmv
MalwareScam-2.wmv
MalwareScam-3.wmv
MalwareScam-4.wmv
MalwareScam-5.wmv
MalwareScam-6.wmv

I have also created a PDF ScreenShow of a myriad of FakeAlert screens - FakeAlert-Screens.pdf / Flash Version

Reference:   
US FBI PSA - Tech Support Scam

 

---

1.  Also located at "My Online Security" - Some videos of typical tech support scams

 

Edited March 18, 2018 by David H. Lipman
Added the Flash version of the FakeAlert screens

[diether]

David. Thx. This is the kind of situation, I encountered this morning. I do not have detauls, because I terminated my Chrome Browser through the Task Manager ASAP. Diether

[David H. Lipman]

You only provided Domains.  If the fully qualified URLs are known and can be verified as being a FakeAlert, they/it can be submitted in;  Newest IP or URL Threats  such that the URLs can be blocked by Malwarebytes' software.

[diether]

What I posted is all I copied from the Chrome history list. Diether

[David H. Lipman]

Thanx for the update.

I tried those Domains but I could not gleam a malicious URL from them.

Some Domains such as;  kamanos.xyz  can lead to a FakeAlert such as the following Apple FakeAlert but most of the time you need a fully qualified URL.

http://kamanos.xyz/secureddefenderbegin/mac/index.html

 

Spoiler

 

[diether]

Thank you. I'll try to get more information, when I see the unwanted screen again. I am just afraid to download malicious code, when I click on anything on that screen. Therefore I just killed the Chrome application, performed a virus scan, and then looked at the history list.

Diether  

Edited December 14, 2017 by AdvancedSetup
Removed email address from post

[David H. Lipman]

Please redact your email address.

An ounce of prevention is worth a pound of cure. 

** You do not have to seek the URL if doing so is outside your comfort zone.

 

Edited December 14, 2017 by David H. Lipman

[Fbc]

This happened to me yesterday 12/14/2017.  I tried to shut down through task bar but browser pop up box with warning and browser would not close.  I finally clicked the x in the corner rather than click the submit or cancel box in the pop up and the screen turned red, started flashing and the speakers blared "WARNING DO NOT SHUT OFF COMPUTER"!  I wrote down the following from the pop up box url: curationservices.com/in/advu126126128811/  before clicking the x.  I have googled this to no avail until I came across this thread. Needless to say, I did shut down the computer, restarted in safe mode, did a restore to an earlier point, and ran a virus scan.   Scared the heck out of me as I am not sure how I got this but I do recall getting a warning about an unsafe site from McAfee when I clicked on a link from an email from my kids school related to PSAT scores. Also, I do not know what I should do if this happens again.  I am not a computer guy but it is time to learn how to capture the details...

[David H. Lipman]

You got this FakeAlert ( below ) because it was a bad web page.  Such web sites are in a class called a malvertisement.  Performing a System Restore from a previous Restore Point was overkill as it would do absolutely nothing in this situation.

{ Your FakeAleret was submitted in;  HTML.FakeAlert }

Spoiler

 

The way to deal with this is to use Task Manager and Kill the Browser Task rendering the objectionable content, Log Off or Reboot.

Since all FakeAlert sites are a kind of malvertisement, it is hard to avoid them.  They may appear on legitimate sites because the legitimate site owner chose to use an advertiser or marketing firm that works with nefarious sources.  FakeAlerts are now extremely common and that is why education and recognition is the best way to combat the fraud they represent.

Edited December 15, 2017 by David H. Lipman
Edited for content, clarity, spelling and grammar

[Fbc]

Dave, that screen shot was it!  Thanks for the advice on dealing with it next time.  Greatly appreciate it! 

[neub]

I got this warning on my screen twice yesterday. I wasn't sure it was a FakeAlert. I was redirected there from the HuffingtonPost home page. I don't think I clicked on anything before I was redirected three times. The second redirect sent me to curationservices.com.  

I'm glad I found this thread.

[David H. Lipman]

Fbc:

I was able to gleam the URL from your post.  Because of that, I was able to capture the screen-content and submit the URL on your behalf.

 

 

[Skeeball]

Dave, Thanks for the info.  At the moment (12/23/17)  curationservices.com did not actually resolve before I closed it.  I was simply reading a news article on a major web portal the starts with a Y when the site opened in a new window.  One would think a major web portal player like Y$%** would thoroughly vet their advertisers.

[Porthos]

19 minutes ago, Skeeball said:

One would think a major web portal player like Y$%** would thoroughly vet their advertisers.

The word of the day is a-s-s-u-m-e. It is just as important to have a good adblocker as well as av/malware protection. 

Edited December 23, 2017 by Porthos

[David H. Lipman]

It is a malicious site that will redirect the viewer to a new FakeAlert every 2~3 hours.

Presently it is.

http://165.227.216.234/as/?a=10012592&campid=46#

 

30 minutes ago, Skeeball said:

 One would think a major web portal player like Y$%** would thoroughly vet their advertisers.

Nope.  It's all about the $$.  A site may use an advertiser or marketing firm but they may contract out to others.  Somewhere along the line a malvertiser slips in and the web site viewer gets malicious content.

Companies like Yahoo! and AOL will show advertisements that are on the edge of fraud.  Such as the ones about NCIS and Abby Sciuto ( Pauley Perrette ) to sell Snake Oil products.

Reference:

'NCIS' actress Pauley Perrette slams fake skincare ads, rumors behind her exit

 

Edited December 23, 2017 by David H. Lipman
Spelling, Grammar and Clarification

[fels]

Wow, maybe I finally found a place I can get help. I received a fake alert nearly identical to one posted by David on Dec 14 (under hidden comments with URL ending …AppleFakeAlert.jpg.528d944a0d16790871c966859cf32df5.jpg). The only difference is the phone number. Here are all the things I've done since. Managed after many attempts to get to the finder window and force quit. Turned off my MacBook Pro. Turned it on again and waited for it to boot, it gets 99% of the way there but never boots. Manually powered off, booted in target mode while connected via fire wire to a good mac (an iMac5,1 A1208 late 2006 with OS X 10.5/8 installed). Then turned on the good mac. The target disk (bad mac) does display the bouncing firewire icon, but so does the good mac, and I'm unable to do anything but turn both off manually. Tried booting the bad mac every which way (safe, verbose, reinstall macOS from the recovery drive, from a USB drive, online, etc.) I tried all the options listed by Apple technical support. Even knowing it was a scam; I DID call the scam 800 number to hear their BS. I blocked my phone (landline) and they identified my number anyway. If I remember correctly, they called me by my first name (how? — maybe every 800 they offer is unique?). Scary, huh?  I said I'd call later because I wasn't in front of my mac. Called again a few hours later, this time from my iPhone, also with number blocking turned on. The guy who answered this time also knew my number and my name. Freaked me right out. Again I said I'll call back and hung up. In the meantime I've been unable to boot up in all the ways identified above. I got as far as the macOS Utilities page and can confirm my physical disk, which I've partioned, is still there, showing both partitions. I've run disk utility several times and everything checks out ok. The closest I've come to getting the thing booted is through the Shift-Option-Command-R combo, which offered me the chance to boot from the OS that originally came with the Mac. However, it won't allow me to install it on the disk partition I’ve been booting from because there’s already the more recent macOS High Sierra installed. It offered the chance to install the original OS X Mountain Lion on my 2^nd partition instead, which I declined.

Finally, assume I don’t have a backup/cloned drive available. Everything I’ve read tells me that none of my files are actually encrypted, but how do I get them? Can you help me get my Mac back? I’m not afraid of terminal mode if it gets to that, as long as I have good instructions to follow and I can understand what I’m doing.

By the way I have plenty more screenshots I can post, some from recent emails I’ve received from these scamers. They have my email address, too.

[David H. Lipman]

It isn't screenshots that are needed.

It is the URL that is used to render the HTML.FakeAlert content.  Then they can be submitted for product inclusion in;  Newest IP or URL Threats ( as per the directions in READ ME: Purpose of this forum )  so they can be added to protect others from falling prey to the scams they represent.

Remember - They do NOT come from software on your PC ( Windows or MAC ) and that they emanate from the POV of the Internet and exist as web sites.  They are merely sites that host fraudulent content to induce one to make the phone call to pay for service or to purchase a product based upon a non-existent event.

Since they are Internet sourced, no anti malware solution can find and remove anything. 

Any specific MAC related questions can be posed in Malwarebytes for Mac

** As noted, the URLs can be submitted and subsequently added to the Malwarebytes' products to protect others from ever seeing the objectionable fraud sites.

 

Edited March 18, 2018 by David H. Lipman
Spelling, Grammar and Clarification

[fels]

Hi David,

Thank you for taking the time to have a look at my post. I found this forum by doing an image search and thankfully one of your screenshots came up that was practically identical to the one I posted. If I understand correctly the url that shows behind the fake alert, in my case mercenarycombatleague isn't important, which I deduced from other responses you've contributed to this thread. Since I was able to synch my Firefox bookmarks and history from another computer I have a good idea about the culprit source, to which I was directed by YouTube. There was content on that site, called joinhoney that I couldn't read because my ad blocker was on; like a fool I turned it off to see what I was missing. At that point I turned my ad blocker back on and went about my business, back to YouTube without clicking on anything else. I've since revisited the joinhoney which is actually legit but for the life of me I can't figure out any link or ad that triggered this sorry affair. Anyway, I'm just filling you in on some background. I'll follow your advice and post to the right places, but I wanted to thank you in any case. BTW the thing I still don't understand is why/how my computer seized up and I can't get it to boot. I never allowed remote access....? Is it even logically possible? In any case I'll jump over the Mac site. Thanks again.

Incidentally we share the same interests — photography, numismatics & surf fishing. I used to visit Stone Harbor as a kid, now I fish off of Truro on the Cape. I'm somewhat knowledgable on those topics but it's blindly obvious that, despite my interest, cryptology and malware are beyond my reach. For now.

[David H. Lipman]

I'm sorry if I wasn't clear.

The screenshot isn't really that important, it only proves the malicious intent of a given URL.

It is the URL that is important.

For example the following is an example of a Microsoft FakeAlert.  Therefore it it would be a good idea to submit URLs like it in;  Newest IP or URL Threats ( as per the directions in READ ME: Purpose of this forum )

https://d35iq1yh0ox7cq.cloudfront.net/

Rendered Content for the above Microsoft FakeAlert.

Spoiler

 

As I indicated earlier in this thread, I have created a ¹PDF ScreenShow of a myriad of FakeAlert screens - FakeAlert-Screens.pdf  /  Flash Version

Any specific MAC related questions can be posed in Malwarebytes for Mac

If you believe your MAC to be infected, you can request assistance in; Malware Removal for Mac

---

1.  I have created the FakeAlert ScreenShow for the purposes of education and recognition.  Of course if someone has a different screenshot other than what I represent ( for example one in another language or completely different graphics and/or content ) I would gladly accept them for inclusion. 

---

I do NOT want to get Off Topic here.  But I do like US coined currency;  Silver, Copper, Nickle, Steel and Gold as well as US Mint Silver Dollar Commemoratives.  I also like Striper, Blue, Spanish Mackerel, Fluke, Little Tunny and other fish caught in the Jersey Surf.  Subject matter better served in their own topic here in General Chat.   I'm not into Cryptocurrency but I do like Cryptovirology. 

 

Edited March 19, 2018 by David H. Lipman
Edited for content, clarity, spelling and grammar