Please take note...
Please take note of the followings...
Brazilian internet service provider hacked
Posted on December 4th, 2013 at 9:33 AM EST
A few users on Apple’s support forums are reporting a problem where an Adobe Flash Player update notice pops up on most web sites. It now appears that the problem is affecting users of the Brazilian internet service provider (ISP) NET Virtua. Apparently, this was done through poisoning of their domain name servers (DNS). Such DNS poisoning attacks allow a hacker to direct requests for certain sites to a fake lookalike site, usually with the intent to harvest usernames and passwords.
The Register reports on this issue, although their description only mentions the use of this DNS poisoning to attack a bank site. However, so far, some of those reporting the problem have confirmed that they are connecting through NET Virtua, while none have said they were connecting through any other ISP. This could be coincidence, but it’s unlikely.
The buttons in that pop-up both link to a file named FlashInstall.zip, containing a single file, FlashInstall.exe. The good news is that this isn’t Mac malware. So, although the problem is causing a nuisance to Mac users connecting through NET Virtua, there is no actual threat. The bad news, for Windows users, is that only three of the anti-virus engines on VirusTotal recognize the file as malware, which means it may be slipping past the defenses of many Windows computers.
Anyone suffering from this problem should consider changing their DNS settings, at least temporarily. It would also be a good idea to clear the DNS cache, to prevent cached domain name lookups from causing the problem to continue even after changing domain name servers.
Of course, it’s important to keep in mind that fake Adobe Flash Player pop-ups are common, and most of them will not be caused by this particular issue. If you are seeing a similar problem, but are not connected to NET Virtua, you should consult Eliminating browser redirects and advertisements.
Posted on November 21st, 2013 at 1:04 PM EST
This is not a Mac-specific issue, but it’s important. The now-infamous Healthcare.gov website has more problems up its sleeve. Notably, it is shockingly insecure, and data that has been entered there may not be safe. I strongly advise people to exercise extreme caution with the site, and would highly recommend not using it at all, until some unknown time in the future when the problems have been fixed.
Before proceeding any further, I feel that it is important to reveal my biases. I feel very strongly that the Affordable Care Act is poorly thought out and destined to be a drawn-out, expensive and messy failure. Since this blog is not a political platform, I prefer not to discuss such things here. However, this is a topic rooted in politics, and thus it’s only fair to the reader to admit to my thoughts on the matter.
If this bias means that you cannot trust the objectivity of this article, I fully understand. In that case, I would recommend that you see the additional news sources at the end of this article. If nothing else, at least read the Congressional report prepared by David Kennedy, CEO of TrustedSec, who was one of several security professionals tasked with evaluating the security of the site. That report can be found here:
In a nutshell, this document describes a number of different security issues with the site. Issues include things like unacceptable disclosure of personal information (some of which is available with nothing more than a simple Google search), redirection weaknesses that could be utilized in phishing attempts, vulnerabilities that could allow access to or modification of data in the site’s databases, and vulnerabilities that could allow an attacker to upload malicious content to the site or load malicious content within a page on the site. Basic security of the interface has been ignored to the extent that it is trivial for a brute-force attack to gather a list of valid user names, which could then be attacked by brute-force to gain the password.
These are very serious problems. They could lead to hackers gaining access to accounts or accessing user data through vulnerabilities, and makes phishing scams much more believable. More frightening, though, are the critical vulnerabilities mentioned in the report that could not be responsibly disclosed. Given the seriousness of what was exposed, the imagination goes to a very dark place when contemplating what was too bad to expose!
For these reasons, I strongly advise not creating an account on the Healthcare.gov site for a while. How long it will be until the site is safe is hard to say, but it could be a very long time, from what the conclusion of Kennedy’s report implies. In the meantime, if you need to access these services, use one of the alternate methods listed in the Healthcare.gov Contact Us page, such as a simple phone call to one of the provided 1-800 numbers.
If you already have an account with personal information on the site, I honestly don’t know what to tell you. I have not used the site, as my current health plan is still good under the ACA, so I don’t know whether it is possible to remove personal information or delete an account, and what effects that may have on your health insurance. I would recommend that you contact someone through one of the methods at the HealthCare.gov Contact Us page. Express your concerns and ask about your options for removal of personal information from the site.
Posted on November 26th, 2013 at 3:39 PM EST
I have written previously about Genieo, which is adware that has used somewhat sneaky methods to get installed in the past, and whose uninstaller leaves behind deceptively-named components that remain actively running afterwards. This is bad news, but at least Genieo has always, to my knowledge, required the user to manually run an installer clearly named “Install Genieo”, regardless of what the site it was downloaded from called it. This is no longer the case, as I have found an installer that does not behave this way. In addition, this installer also installs the GoPhoto.it adware, which I have never written about.
The installer in question is downloaded from a site offering a “FirstRow Sports app,” which purports to allow the user to watch a variety of sporting events live at no charge. Of course, the site also redirects users to all manner of other scam sites, such as a “free movie” site and a MacKeeper ad site.
Often, though, these sites are opened as “pop-unders,” meaning that they open in a window behind the current browser window, so the user may not find them until much later and may not associate them with the site generating them, and thus with the downloaded app.
Users who download the app will find themselves in possession of a SportsApp_Mac_Installer.zip file, which expands into what looks like a standard Apple installer package. It even has the same icon as an installer package. However, it is actually an application.
When opened, the application immediately mimics the Apple installer, but oddly, it seems to be offering to install GoPhoto.it:
If the user continues with the installation, the next screen contains a license agreement for Genieo:
Continuing from here results in completion of the installation. However, the promised live sports streaming app never materializes. There is no such app added to the system anywhere. The sole payloads appear to be GoPhoto.it and Genieo.
After installation completes, the Genieo installer begins. Interestingly, this older Genieo installer (dating back to August of this year) does not seem to install a lot of the sneaky junk that more recent Genieo installers do. Removal of this version of Genieo seems simple: just delete the Genieo and Uninstall Genieo apps and change your browser’s home page back to what it was before. However, I nonetheless advise following the full removal procedure found in the Genieo removal section of my Adware Removal Guide. If none of the other files are found, great, but it’s important to look, just in case something changes.
GoPhoto.it removal is also simple for the most part, although Firefox users will have a file installed that disables some of Firefox’s security features relating to Firefox add-ons. To remove this, see the GoPhoto.it removal section of my Adware Removal Guide.
This is really nothing particularly new. Adware is becoming more and more prevalent for the Mac, and as a result, great care is needed when downloading new apps. I mention this particular case mostly as an illustration of what can happen if you aren’t careful, and a reminder to avoid shady sites when downloading software. Keep in mind that even some fairly mainstream download sites, such as Download.com and Softonic, are guilty of inserting adware into their downloads. (See Boycott CNET’s Download.com and Boycott Softonic.)Updates
November 27, 2013: If you scroll down to the comments, you will notice a lengthy discussion between myself and someone calling himself “ThomasFake,” who portrays himself as a satisfied user of Genieo. I was suspicious, though, so I finally decided to do a little digging.
This individual, posting from what looks like a fake GMail account, has posted all comments from the IP address 126.96.36.199. This IP address turns out to be located in Israel, which is where Genieo (the company) is located. Acting on a hunch, I decided to look back through my e-mail messages, and found that messages I have exchanged with several different Genieo representatives came from that same IP address:
A little more digging turn up the fact that this same IP address has been used to repeatedly edit the Malware section of the Genieo page on Wikipedia.
Another fake user, calling himself simply “Thomas,” who actually started the discussion that was then continued by ThomasFake, is posting from 188.8.131.52, which is another Israeli IP address. This address has also been very active in editing that Wikipedia page.
I am choosing to allow those comments to stand rather than censoring them. However, I reserve the right to block any future comments from either of these users.
Adware Removal Guide
Published November 7th, 2013 at 3:36 PM EST, modified November 11th, 2013 at 1:41 PM EST
Adware has been a plague on the Windows world for years. Unfortunately, this plague has begun to spread to the Mac as well. There are a number of different programs out there that serve no useful purpose except to shove ads in your face, all just to make money for the developer of the adware. Because it lives in the borderline between malware and legit software, though, detection by anti-virus software can be very hit-or-miss. This can make removal difficult.
Adware often comes packaged in installers for other software. Sometimes, this is because it has been added to a legit piece of software by an unscrupulous download site. (Even mainstream download sites, such as Download.com and Softonic, have resorted to this kind of unethical behavior.) Sometimes it is because a developer has opted to use an adware-riddled installer, provided with incentives from the adware creator, to distribute their software. It could even be installed through deceit, by pretending to be something that it is not in order to trick the user into installing it. (This last type is usually the only type that is detected as malware by anti-virus software.)
The most typical symptom of such adware is the display of advertisements on your Mac where none should exist. Adware also will often change your browser’s home page and search engine settings, and may even cause redirects from legit sites to sites constructed for the financial benefit of the adware developer. It can also cause secondary problems, such as web pages displaying incorrectly due to insertion of foreign HTML code, and even browser crashes.
If you have symptoms that lead you to believe that you have adware installed, see the Identification section below for help identifying what adware you have (if any), then refer to the appropriate removal instructions.
Table of Contents
Note that this page is a work-in-progress, and probably always will be. If you find adware not described on these pages, or find that known malware is behaving in ways other than as described here, please contact me!0 Like