Jump to content

Drive-by download follow by... text message?


Recommended Posts

Hello,

 

I am on a MacBook Pro using MacOS Mojave.

 

Yesterday, I experienced a drive-by download from a website. In safari, I saw the little icon hop into the downloads bin, as it does when you download something. I never clicked on anything, or gave any permission to download something.

 

Moments after that, something much more unusual happened that I can not seem to find a similar case anywhere. I received a text message from an unknown number saying something about comedy, and had a google shortcode in it. Obviously, I did not click on the shortcode. At the moment of the drive-by download, I had many applications open. This included iMessage.

 

My concern is of course, was happened and how at risk am I? I downloaded Malware Bytes, and performed a scan. No malware/viruses/etc were found. Since I received a text, it seems that my information MUST have been compromised to some degree. Should I take more extreme measures than just running Malwarebytes and forgetting about it?

 

Link to post
Share on other sites

  • Staff

It sounds like this was purely coincidental. It's trivial for a JavaScript to download a file, but it can't launch a downloaded executable, so just seeing the download by itself is not concerning. Make sure you delete whatever was downloaded. (If your Downloads folder is so full that you can't tell, you need to clean that out. Keep it empty so you never end up with a malicious download hiding in there and possibly getting opened by you inadvertently months later.)

The text, and the timing with which it arrived, would have been coincidental. If your machine were already infected, there would be no reason to raise your suspicions by sending you a weird text message.

Link to post
Share on other sites

Well, there was also nothing actually in my downloads folder after the "download". I clean the folder out regularly, and immediately after I saw the "download" take place, I checked my downloads folder. There were no new files.

 

My theory on the text is that they may have wanted me to follow the link included, which would then further infect my phone. This text literally came within 30 seconds of the download.

 

Here is the text:

Ι.О. ԁy

ϳа16

(Google link with shortcode here)

хt ℚՍІΤ t еᴨԁ

 

Are there any additional features other than just the Malware scan I should be performing on my devices? Is it possible that something downloaded, installed, and deleted the file that was downloaded from the internet on its own?

Link to post
Share on other sites

  • Staff

I can't say what might have happened, but at present there's no known way for malware to install directly from the web browser. Such exploits are discovered periodically, but they haven't been used on the Mac since 2012. These days, those exploits can be sold on the black market and would be unlikely to be used in a sloppy drive-by attack, which would lead to their discovery and destroy their value.

Whatever this was, it was likely a scam site - which perhaps tried to download something unsuccessfully, or that was deleted/quarantined by some software - and a coincidentally timed text message.

Definitely DO NOT tap the link in the text message, or respond with "QUIT" (or any other text). I would be interested in seeing the link, however. If you can send that to me via a direct message, that would be much appreciated. Hover your mouse over my name or avatar at left, then click the Message button.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.