Jump to content
Doug_M

New Browser Hijack in Safari?

Recommended Posts

Every once in a while when I click on anything in a web page a new tab opens to some obviously hacked website with a page trying to get me to install Flash.  My homepage hasn't been changed, I don't have automatically open safe files turned on, I have Bitdefender and Malwarebytes installed (they detect nothing on any type of scans I do), and there are no profiles installed.  I did not download any flash installer nor did I install any shady programs.  Everything I can find on removal pertains to WeKnow but as I said, my homepage has not been changed and there are no profiles to remove.  Some of the hacked website URLS are:

usine.puopla.site
topfinishgreatappclicks.top

I've looked through the running processes and can't spot anything out of the ordinary.  The click hijack is not that frequent but is at least a couple of times a day.  This started not quite a week ago I'd estimate.  Any suggestions on where to look?  I'm quite comfortable with the command line if that helps.

Share this post


Link to post
Share on other sites

Any website.  It happens randomly and is not repeatable.

Share this post


Link to post
Share on other sites

Hmm.  Okay it happened today when I was on eBay.ca and yesterday on kijiji.ca (owned by eBay).  I can't remember about the other times.  So I just went to kijiji.ca and started browsing and bam, happened again.  Only this time the fake error message was different.

It took me to this (and downloaded maccleaner.pkg; obviously I did not open it or click anything on the malware page).

48576415931_c0b06bb40f_c.jpg

Share this post


Link to post
Share on other sites

No, no ad blocker.  The thing is though an ad blocker isn't a "solution" as the click hijacking is occurring on my machine.  That is to say I believe my Mac to be infected as opposed to the websites I'm visiting where the click hijacking is occurring.  If eBay and Kijiji were hacked (or ads they serve were malicious) it would be news in the tech-o-sphere.

Share this post


Link to post
Share on other sites
23 minutes ago, GuruGuy said:

You may want to follow the instructions given by Adas as shown in this topic 

 

Yeah that's just more WeKnow stuff. I've looked at many WeKnow removal howtos and they just don't seem to apply here.  For example they talk about profiles but there are none on my Mac.  They talk about WeKnow taking over Safari's default homepage, but that isn't an issue with mine.  They talk about people getting infected by running a Flash installer.  I didn't do that.  I didn't even download a Flash installer.  What I've got seems to be very new.  Hopefully others will start reporting it but most will probably get mistaken for more WeKnow infections at first.  And of course if you google macOS adware flash all you get are WeKnow posts.  This may take some time...

Share this post


Link to post
Share on other sites
3 hours ago, Doug_M said:

If eBay and Kijiji were hacked (or ads they serve were malicious) it would be news in the tech-o-sphere.

Not big news though, as many mainstream sites have been and probably still are serving malvertisements they get from third party sources.

Have you checked to see if there are any browser extensions/add-ons that you don't recognize? Any profiles in System Preferences->Profiles? Have you followed the steps in the pinned article at the top of this forum yet?

 The next step will be to submit some troubleshooting data from you computer to Customer Support, not here. I'll direct you after you accomplish the above items.

Share this post


Link to post
Share on other sites

As stated in the op, no profiles exist to delete in the first place, and everything else WeKnow doesn't apply (including extensions, I don't have any) as it doesn't exist. I've been down that road already which is why I posted here in the first place. 

There is nothing to submit to customer support yet because Malwarebytes isn't finding anything so there is nothing in the app log.  All I have at this point is "something" is clickjacking in Safari and it isn't WeKnow.  I will compile a collection of URLs it sends me to along with screenshots of the fake macOS screens.  Then at least I'll have something to submit.

 

Screen Shot 2019-08-19 at 6.11.54 PM.png

Share this post


Link to post
Share on other sites
Posted (edited)
14 hours ago, GuruGuy said:

This looks exactly like you're screenshot

[link removed]

It does. Though that screenshot has only happened once (the latest).  All the other times it was a cheesy looking Flash install screen.  

As an addition, that link mentions looking in LaunchAgents for suspicious items.  I did that as well as in LaunchDaemons and didn't find anything.  It talks about "PUA" (potentially unwanted apps) and I haven't installed anything recently.  Other than a few apps from the the Mac Store all I have installed is Calibre E-Books, GIMP, Google Earth Pro, MacLoggerDX, Mailplane, NetBeans, SkookumLogger, Transmit and World of Tanks.  No browser extensions, no Flash etc.  The last program to be installed was World of Tanks.  Though I would think that if the Mac version of this game was installing a click-jacker the Mac sub-forum on WOT would be full of people complaining.  Then again you never know.

Edited by treed
bad link

Share this post


Link to post
Share on other sites
45 minutes ago, Doug_M said:

There is nothing to submit to customer support yet because Malwarebytes isn't finding anything so there is nothing in the app log.  

Actually, that's just part of the information collected. The tool will include much more about what's currently installed and configured on your computer.

So I believe it's time to submit a system report created with the help of below article  (please don't post the zip file here)

https://support.malwarebytes.com/docs/DOC-3235

Instead,  log a support ticket with help of below link and attach the file with the email

https://support.malwarebytes.com/community/contactsupport/pages/home-support

 

Share this post


Link to post
Share on other sites
15 minutes ago, GuruGuy said:

I'm very surprised Bitdefender hasn't picked up on any of that

Not if it's new or a new variant. Normally, Malwarebytes and BitDefender become aware of such things and update their databases around the same time.

Share this post


Link to post
Share on other sites
Just now, GuruGuy said:

The screenshot link I posted is from May , so it's not new whatever it is

But that's a Windows infection, so we can't really know that this isn't a new Mac variant using the same dialogs.

Share this post


Link to post
Share on other sites

Ah, you're correct. I was distracted by the "PC Risk" logo. It's actually an ad for Combo Cleaner Anti Virus for Mac, which is mostly a sham.

Still doesn't mean this isn't a new variant of whatever that was.

Share this post


Link to post
Share on other sites

Was trying to "trigger" it so did some eBay and Kijiji surfing and got it to happen again.  I don't honestly know if it is tied to eBay or Kijiji at all or perhaps is triggered by searching or clicking any links.  I'll know more going forward as I'll pay more attention to it than I did over the weekend lol.  Anyway, it took me to one of the same domains as before and presented the fake Flash install.

 

Screen Shot 2019-08-19 at 7.46.41 PM.png

Share this post


Link to post
Share on other sites
Posted (edited)
45 minutes ago, GuruGuy said:

The fact that they are using a screenshot of the exact same thing op posted tells me that this sham place knew about it in May so my question now is why doesn’t MB know about it AND why hasn’t a staff member popped into this thread yet

Sorry if I wasn’t clear.

It’s not at all unusual for adware to make subtle changes to their installation, while continuing to use the same display dialogs in an attempt to convince the user to panic. Changing the name of a file or it’s location on the computer is usually enough to defeat MWB scans. It would also be easy to reuse these displays/dialogs by other adware developers using a different approach.

That assumes what we are observing is actual adware. There is still a chance this is malvertising. MWB generally cannot stop that.

Edited by alvarnell

Share this post


Link to post
Share on other sites

This is actually unlikely to be caused by any kind of adware or malware installed on the system. The problem seems to be happening specifically when visiting eBay and Kijiji, which suggests that they probably have a malicious ad that has gotten into their advertising feed. This is actually quite a common problem that people frequently mistake for an infection. Most likely something about your particular browsing habits on those sites and/or other information (such as geolocation of your IP address) is causing you to see this ad more frequently.

I would suggest to first try what has already been suggested here: install an ad blocker and see if that helps.

If that doesn't help, then we'll need to investigate further.

Share this post


Link to post
Share on other sites

I removed all links to pcrisk[.]com. That site is designed to use search engine optimization to funnel people in and convince them to download a junk app. We don't really want a link here to give them a higher position on Google (which tends to prioritize results based on how much they are linked to from external sites, among other things).

Share this post


Link to post
Share on other sites
3 minutes ago, treed said:

This is actually unlikely to be caused by any kind of adware or malware installed on the system. The problem seems to be happening specifically when visiting eBay and Kijiji, which suggests that they probably have a malicious ad that has gotten into their advertising feed.

I agree, it is looking more and more like a malicious ad.  I've been browsing the web for a few hours without issue but I have not been on Kijiji or eBay yet.  I don't like ad blockers on principle (to each their own however) so I'll try an ad blocker on just Kijiji and eBay to see if that makes a difference.  Of course as I'm typing this eBay could be removing the malicious ad from their network and we'll never know lol.

Share this post


Link to post
Share on other sites
28 minutes ago, Doug_M said:

I don't like ad blockers on principle (to each their own however) so I'll try an ad blocker on just Kijiji and eBay to see if that makes a difference.

I know the feeling... you don't want to deprive sites you use and respect of their source of income.

Unfortunately, malvertising is so prevalent these days that it's more a matter of security now. Ads are no longer just a nuisance... they can be dangerous.

Share this post


Link to post
Share on other sites
8 minutes ago, treed said:

Ads are no longer just a nuisance... they can be dangerous.

No doubt.  Currently it is a sort of no win scenario.

I couldn't find an ad blocker with a blacklist, but I did find that AdGuard allows custom filters so I've got that essentially "off" except for third party ads an eBay and Kijiji.  Spent about 10 minutes on both sites and so far no malvertising.  Not a definitive test by far, but so far so good.

Share this post


Link to post
Share on other sites
1 minute ago, GuruGuy said:

After perusing through some of the current and old threads on MB Forum; I see a lot of these type things that just don't seen to be caught.  I know MB doesn't scan web traffic and even if it did, it may still not be effective.  Is it enough on a Mac today to run only MB (paid with realtime on) and an effective ad blocker.

Yup, there's a lot of stuff these days that people think is malware that actually isn't... like these kinds of pop-ups in the browser. Pop-ups in the browser can be caused by malware or adware, but it all depends on the purpose. Pop-ups designed to trick the user into downloading and installing more adware are generally not caused by adware, because the adware creator doesn't want to have competition for the infected machine.

I can't ever say that any technology is 100% enough. A good antivirus program should protect against all malware infections. Good web protection should prevent the machine from communicating with a bad site. An ad blocker should protect against all malvertising. But there's no such thing as 100%... if it were possible to create protection with a 100% guarantee, the game would be over, the black hats would have lost, and everyone could get on with their business without these threats.

That said, running something like Malwarebytes alongside a good ad blocker or network filter should be pretty darn effective.

Share this post


Link to post
Share on other sites

There's lots of malware that can install just fine without elevated privileges. There are certain kinds of things the malware can't do if it doesn't elevate, but for a lot of the basics (stealing your data, injecting ads or causing redirects through browser extensions, etc), that kind of access isn't needed.

Share this post


Link to post
Share on other sites

Crap, just when I thought I had it figured out it happens from the huffingtonpost.ca (don't judge, it was a Google News click thru lol) domain.  Though I still believe it to be malvertising rather than a local infection as it happened as I was scrolling down to the bottom of the article where the comments are and that section dynamically loads tons of third party ads as you scroll.

1812140230_ScreenShot2019-08-21at6_18_29AM.thumb.png.58a76e892f65f795b228f0c998612558.png

Share this post


Link to post
Share on other sites

Yeah that's what I've done (temporarily).  If that works then I'll revert to a blacklist model and play whack a mole for a bit.

Share this post


Link to post
Share on other sites

Well it's only been a little less than 24 hours but so far so good.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.