Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Safari wants to "update" Adobe Flash but only when visiting CNN dot com
- Thread starter dmfresco
- Start date
- Sort by reaction score
The link to "download Flash update" on CNN is to a site with a pw domain – that's Palau.
I think the OP's point was that having something like this come up on a major web presence like CNN seemed unusual. Do they not vet what ads are attached to their web site? Do they normally allow pop-up ads to hijack the page like this? There is no way to dismiss this without closing the window (I didn't have to quit Safari). I could not get to the CNN article I wanted to read. Of course I didn't take the bait, it was obviously fake (actually, I wouldn't have clicked it if it was real either!). The Q is, why am I seeing this on a major news web site like CNN?
I think the OP's point was that having something like this come up on a major web presence like CNN seemed unusual. Do they not vet what ads are attached to their web site? Do they normally allow pop-up ads to hijack the page like this? There is no way to dismiss this without closing the window (I didn't have to quit Safari). I could not get to the CNN article I wanted to read. Of course I didn't take the bait, it was obviously fake (actually, I wouldn't have clicked it if it was real either!). The Q is, why am I seeing this on a major news web site like CNN?
The problem has just returned. I was able to find the offending link. Please no one click on it!! But I would be curious if anyone might have ideas on why I seem to be getting it only when clicking on CNN dot com.
http:// afew.zoyufo.pw/AwHiJM15KSsxR6FOzKoS7rZR7LvDczNw-0OW4MRY5gNGfHZ89QOLFdABh8lzemAkT5qtCB5aC5NGdupsRhc1g5S_idzveaaSOvO7VMY25Ys0Tw==?p2=b74046628b12e0629949e6c26a329018&ci=w2eg3l5eh2942b9t1tj0g6qs&n3er=t7m6yg==&uu=lIaJhrzOpHZ6iHd-eXqJent3gns=
http:// afew.zoyufo.pw/AwHiJM15KSsxR6FOzKoS7rZR7LvDczNw-0OW4MRY5gNGfHZ89QOLFdABh8lzemAkT5qtCB5aC5NGdupsRhc1g5S_idzveaaSOvO7VMY25Ys0Tw==?p2=b74046628b12e0629949e6c26a329018&ci=w2eg3l5eh2942b9t1tj0g6qs&n3er=t7m6yg==&uu=lIaJhrzOpHZ6iHd-eXqJent3gns=
I guess this is why one of the users on this forum said that you NEVER whitelist any website in your adblocker. CNN is not your mom after all.
It was happening just on CNN for me. But it happened on a site called statcounter. I have deleted all the Safari data once again and so far so good.
I am getting the same problem on cnn.com and only on the Safari browser (does not happen with Chrome). Same annoying pw domain. Macworld.co.uk also does it. Most sites do not have this problem. I tried clearing history and removing everything from Manage Website Data but it doesn't work.
I ran into this problem Saturday early am February 29 on Mac OS X Catalina. I already had Flash installed and Adobe Flash told me it was up to date. I added AdBlock popup blocker extension, and ran Malware Bytes and Privacy Scan. The malware attempt went away as soon as I added AdBlock and Malware bytes and Privacy Scan didn't show any malware problems. I agree this is for sure not a legit Adobe request and am surprised that CNN doesn't have IT staff monitor their website for malware/adware infiltration. That's a small task order to periodically monitor across platforms and OSs to see who is abusing their ad policies or hacking them. I sent them an on-website e-mail via CNN.com/feedback. This website here, right here, macrumors requires cookies.
I am seeing this zoyufo.pw crap tonight on nytimes.com and thehill.com as well as cnn.com
Yes. I noticed this over the last few days. It was happening on my iPad Pro and then also my Mac, but not my iPhone Xs. After I went to the CNN website it could happen on any website. If I cleared the cache, it would all happen again after going to the CNN website. By downloading a malware blocking app (same "brand" app for iPadOS and MacOS) it finally stopped.
After deleting website data & cookies & restarting safari when going back to cnn is Javascript off and are all cookies being blocked and issue still comes back?
I know that can limit sites that need to be logged in, some videos, or if you want to personalize, but if a site is causing me issues and I just want to read some articles that are still accessible I leave off Javascript and accepting cookies for awhile. If site forces me to have on I will just find info elsewhere until site fixes its issue (it's almost the norm for me recently to just turn on when needed for a specific site & then back off now with a deletion of website data as Apple's 3rd party access appears too lenient). I will also delete website data afterwards before going elsewhere and probably when I am done using browser as well that day (some still shows up even with these settings lately just like some 3rd party cookies I have never visited show up when not blocking all cookies and items on official reading list adding data even if I don't have offline use turned on or have visited them since clearing all website data causing me to just use a regular bookmark file for that stuff).
Are the sites pushing these fake flash downloads (or even where it starts like CNN) showing up under Safari's preferences/websites/downloads? Or is anything questionable or hadn't approved showing requesting access under items in MacOS security & privacy/privacy?
For anything already downloaded How good is something like malwarebytes at finding, quarantining, & removing never seen before malware (predicting something new as possibly being malware)? Do they have a way of reporting above link to suspect file or site pushing them to help speed up any updates to find & remove malware that might be possibly evading their software?
I know that can limit sites that need to be logged in, some videos, or if you want to personalize, but if a site is causing me issues and I just want to read some articles that are still accessible I leave off Javascript and accepting cookies for awhile. If site forces me to have on I will just find info elsewhere until site fixes its issue (it's almost the norm for me recently to just turn on when needed for a specific site & then back off now with a deletion of website data as Apple's 3rd party access appears too lenient). I will also delete website data afterwards before going elsewhere and probably when I am done using browser as well that day (some still shows up even with these settings lately just like some 3rd party cookies I have never visited show up when not blocking all cookies and items on official reading list adding data even if I don't have offline use turned on or have visited them since clearing all website data causing me to just use a regular bookmark file for that stuff).
Are the sites pushing these fake flash downloads (or even where it starts like CNN) showing up under Safari's preferences/websites/downloads? Or is anything questionable or hadn't approved showing requesting access under items in MacOS security & privacy/privacy?
For anything already downloaded How good is something like malwarebytes at finding, quarantining, & removing never seen before malware (predicting something new as possibly being malware)? Do they have a way of reporting above link to suspect file or site pushing them to help speed up any updates to find & remove malware that might be possibly evading their software?
You can use Gas Mask https://github.com/2ndalpha/gasmask to add 0.0.0.0 afew.zoyufo.pw to your hosts file.
More details about Using hosts to block ads and malware in Catalina https://forums.macrumors.com/threads/using-hosts-to-block-ads-and-malware-in-catalina.2198978/
More details about Using hosts to block ads and malware in Catalina https://forums.macrumors.com/threads/using-hosts-to-block-ads-and-malware-in-catalina.2198978/
This is an ongoing thing. Reddit thread:
and another thread here on MR:
forums.macrumors.com
and another thread here on MR:
Safari redirecting to http://afew.zoyufo.pw?
I think I have been infected. My Catalina Safari regularly redirects to http://afew.zoyufo.pw, which seems to be one of those stupid 'update your adobe' sites. How do I kill that? thanks in advance... OK, so did the 'developer' clear cache thing, tried to delete all my cookies, still...
forums.macrumors.com
I made the mistake a few days ago of installing the flash update. Turned out to be a virus that took over my three browsers, Safari, Firefox and Chrome. What the virus does is it redirects your browser startup page to searchmine.com. It also locks your browser startup page preferences so that you can't change it.
After researching for a while I found that this virus only affects the browsers, but is a major pain to remove from your system. Basically, it installs a few false apps into your applications folder. Then it creates a folder in your HD/Library/Managed Preferences. That folder is what is controlling the browsers. But you can't just delete it. It comes back after a restart. I found a blog that has a list of items to remove from your system, but you do have to have a certain level of confidence in doing this yourself.
This the blog that helped me most.
(https://malwaretips.com/blogs/remove-searchmine-net/).
What worked for me was removing three apps from my applications folder that I know I did not install. They were not the ones listed in the blog, but they were definitely not mine. I deleted everything inside the HD/Library/Managed Preferences. Lastly, I opened System Preferences and I found a "Profiles" icon that didn't belong and deleted it.
This is what worked for me, but there are more intensive instructions on the blog. This all happened on my Mac Desktop and now it's clean. But the CNN website thing is happening on my LapTop now. I have no idea how to make that stop, but I won't be making the same mistake twice. I hope this helps anyone who has made the same mistake I made. Also, once the virus was in my system, neither Malwarebytes nor Sophos detected anything wrong and so were useless in removing it. This is why I did it manually.
After researching for a while I found that this virus only affects the browsers, but is a major pain to remove from your system. Basically, it installs a few false apps into your applications folder. Then it creates a folder in your HD/Library/Managed Preferences. That folder is what is controlling the browsers. But you can't just delete it. It comes back after a restart. I found a blog that has a list of items to remove from your system, but you do have to have a certain level of confidence in doing this yourself.
This the blog that helped me most.
(https://malwaretips.com/blogs/remove-searchmine-net/).
What worked for me was removing three apps from my applications folder that I know I did not install. They were not the ones listed in the blog, but they were definitely not mine. I deleted everything inside the HD/Library/Managed Preferences. Lastly, I opened System Preferences and I found a "Profiles" icon that didn't belong and deleted it.
This is what worked for me, but there are more intensive instructions on the blog. This all happened on my Mac Desktop and now it's clean. But the CNN website thing is happening on my LapTop now. I have no idea how to make that stop, but I won't be making the same mistake twice. I hope this helps anyone who has made the same mistake I made. Also, once the virus was in my system, neither Malwarebytes nor Sophos detected anything wrong and so were useless in removing it. This is why I did it manually.
Last edited:
For me, the problem is intermittent, and seems to be unique to browsing CNN, although I think it also happened once when looking at a site called statounter dot com. I don't want to go down a rabbit hole of US politics here, but the reports mention CNN and NYTimes primarily, although I believe someone mentioned the site the hill dot com too. Any speculation about whether the choice of these sites is deliberate as CNN and NYTimes are regarded by the right and the Trumpists as biased against Trump? Or is it just simpler to think that CNN and NYTimes have a vulnerability that is exploitable in Safari?
Last edited:
This may be the fix. I'm having the same issue intermittently. So are a lot of people judging from their views. This is updated as of February 29, 2020.
I wouldn't know what to look for in the step by step so am running the Combo Cleaner product the article mentions right now and it says two threats found so far.
macsecurity.net
I wouldn't know what to look for in the step by step so am running the Combo Cleaner product the article mentions right now and it says two threats found so far.
Remove fake Adobe Flash Player update virus from Mac — MacSecurity.net
Learn how to remove Adobe Flash Player update virus from Mac and thereby prevent the browser from being redirected to rogue software installation websites.
macsecurity.net
Happening for me at CNN at 5:40am Sunday (US Pacific Time). I am getting redirected to "gogo.thepowerrangers.com" but only in Safari on a MacBook Pro - even after deleting all CNN cookies.
This is what Combo Cleaner came up with per my post about the fix two messages up (as I write this):
THIS ONE IT SAY IS “SUSPICIOUS” [THOUGH THE LIKELY ISSUE]:
Suspicious system configuration - hijacked Internet browsers
Various browser and system settings override techniques are a sign of an active browser hijacker on your system. Commonly used hijackersL Weknow.ac, safefinder.com and Anysearchmanager.com
THIS ONE IT SAYS IS INFECTED:
In a file for a web page from Sotheby’s I saved as a webarchive it says Type: Virus, Infection Name: JS:Trojan.Cryxos.2424
That was downloaded probably about year ago with no problems until this month so I'd focus on the "SUSPICIOUS" things it notes as our problem.
Malwarebytes (free) and CleanMyMac (free) don’t find ANY of this. I'm running Avast Security (free version) now to see what it says.
THIS ONE IT SAY IS “SUSPICIOUS” [THOUGH THE LIKELY ISSUE]:
Suspicious system configuration - hijacked Internet browsers
Various browser and system settings override techniques are a sign of an active browser hijacker on your system. Commonly used hijackersL Weknow.ac, safefinder.com and Anysearchmanager.com
THIS ONE IT SAYS IS INFECTED:
In a file for a web page from Sotheby’s I saved as a webarchive it says Type: Virus, Infection Name: JS:Trojan.Cryxos.2424
That was downloaded probably about year ago with no problems until this month so I'd focus on the "SUSPICIOUS" things it notes as our problem.
Malwarebytes (free) and CleanMyMac (free) don’t find ANY of this. I'm running Avast Security (free version) now to see what it says.
Attachments
Also not familiar with Avast. I downloaded it, but it won't install on my MacBook Air because I have Sophos installed on it, which did not find any issues.
If you didn't run the installer you won't have any problems. I've been getting that same page you've been seeing. I'm getting it everywhere. I even got it on MacRumors. It's coming from a compromised ad that's being served on one or more major ad networks. Hidden in one of the ads is a redirect script sending you to a shady website. The identity of that shady website keeps changing too.
This happens from time to time and usually continues for a few days to a week before it gets stopped for good. You can report it, but in all likelihood on a site like cnn.com, they either already got the report, know about it, or are trying to do something about it already. The fake update redirect could be coming from numerous ads that are compromised so it may take a while for it to go away.
I don't usually use ad blockers as I want to support the sites I visit, but when this starts happening, I either turn on an ad blocker or I use a program like Little Snitch to approve all of my browser connections. The latter is extremely painful to do as mega sites need dozens of external connections just to load a basic page.
Last edited:
I agree with this point completely, but many of the early posters felt even downloading something and just trashing the file exposed one to risk. Not sure why they think that though ...