Safari wants to "update" Adobe Flash but only when visiting CNN dot com

[flowrider]

^^^^Because:

Can you get a virus from downloading a file, but not opening it? Specifically, when a website automatically downloads a PDF or Word docum...

Answer (1 of 12): If there is a virus embedded in the document, then you have the virus on your computer. Until you open the document, your computer is not infected, really. It would be like what would happen if you touched a doorknob that you knew your flu-suffering roommate touched last, and th...

www.quora.com

Lou

 

[Fishrrman]

OP:

Sounds like it's time to:
- Boot to internet recovery
- ERASE the internal drive -- COMPLETELY
- RE-install a "known clean copy" of the OS
and finally
- Restore from an OLDER backup, if you have one. Preferably only your apps and user data.

 

[jtara]

I continue to get ads on CNN iPad app that display some Javescript source code. One just now was a Google ad and I reported it. They only give you a drop down choice so I choose “ad covers content” which isn’t quite right. Well, it is quite lengthy but technically doesn’t cover content.

the code is unremarkable it is a JS framework minified. Didn’t scroll down to try to see what else!

may or may not be related to the flash downloader stuff being seen by others

 

[smirking]

- Boot to internet recovery
- ERASE the internal drive -- COMPLETELY
- RE-install a "known clean copy" of the OS
and finally
- Restore from an OLDER backup, if you have one. Preferably only your apps and user data.

What on earth are you talking about? Are you sure you're posting to the right thread? Her machine is fine. She didn't install anything. She just downloaded a malware installer and deleted it after downloading.

If the payload was somehow delivered through an actual MacOS notification prompt, it could be another story, but it was a download made through a Web page made to look like it was an offical update notification.

 

[BohemianSF]

Search for browser redirect Safari.

The problem isn't with CNN. It works fine with another browser. The issue is what's in your copy of safari right now.

Apparently this is common and I see it's been going on for years, and yet have had Malwarebytes and Clean My Mac X show nothing wrong. Even the full trial version of Malwarebytes found nothing.

As of right now I am no longer having the problem with Safari and CNN, but it can come and go, I read.

Here's what I found helpful so far.

Remove fake Adobe Flash Player update virus from Mac - MacSecurity

Learn how to remove Adobe Flash Player update virus from Mac and thereby prevent the browser from being redirected to rogue software installation websites.

macsecurity.net

Remove Browser redirect virus (Removal Instructions) - 2020 update

Browser redirect virus is a PUP which deteriorates your browsing experience. Browser redirect virus is a browser hijacker which takes over the targeted browser, for

www.2-spyware.com

!

How To Reset Your Safari Web Browser

How To Reset Your Safari Web Browser Which version of Safari are you using? Safari Versions 14 - 11Safari Versions 10 & 9Safari Versions 8 - 5 Notice: If you believe Safari may be infected wi...

support.intego.com

I didn't download software they talked about and try that, but I did get rid of the cookies and did other changes in Safari preferences, and I also read the issue can still be in your caches, so I clicked develop on the safari menu and then empty caches.

I also read somewhere the order of how you do these things matters.

I also did this stuff with Clean My Mack X and it said it didn't find any malware but after messing around for a couple hours this morning, so far I don't have the issue anymore.

Again, search for browser redirect Safari. That's the issue, and you may come across some fixes.

 

[bogdanw]

 

[jerwin]

I've encountered the install flash drive by downloader several times before-- and gogo [fullstop] thepowerrangers [fullstop] com appeared in the logs. Might be some weird ad campaign. Popped up during a "words with friends" endgame, too, though I don't know whether that was "powerrangers" related. Had to install ghostery just to finish the game. And now, I think I'm done with zynga...

(No, I'm not in the powerrangers demographic. Have no reason to see the ad, so I don't care if it's a nostalgia play or something even less savory.)

 

[dsemf]

I agree with this point completely, but many of the early posters felt even downloading something and just trashing the file exposed one to risk. Not sure why they think that though ...

If "Open Safe Files" is enabled then the risk is there. There is no such thing as a safe file.

DS

 

[Gasu E.]

Safari Version 13.1 (15609.1.15.3.11) has all of a sudden requested that I update Flash, but only when I visit CNN dot com. No other websites seem to provoke this behavior. MalwareBytes and Sophos do not detect any malicious activity but the website in question is clearly NOT Adobe. I will try to determine the URL. What kind of malware have I inadvertly picked up? Why CNN and only CNN for now? BTW, CNN seems to work fine on Chrome. This issue seems particular to Safari. In addition, the problem has persisted after restarting Safari and also restarting this Mac running 10.15.4 Beta (19E224g).

I suddenly got the same problem this week. Except it was just the NYTimes site. But today, I also tried CNN, and same problem. Just those very specific sites, and just Safari. Also, Malwarebytes and Sophos didn't detect a problem either. Also not a problem on Chrome.

 

[smirking]

I suddenly got the same problem this week. Except it was just the NYTimes site. But today, I also tried CNN, and same problem. Just those very specific sites, and just Safari. Also, Malwarebytes and Sophos didn't detect a problem either. Also not a problem on Chrome.

Unless you downloaded AND installed the fake Flash player update, you are fine.

What's happening here is that you're being served browser redirects via a compromised ad that's being served by a major ad network. It will happen intermittently as the affected ad(s) are served and it will happen on any site that carries that ad network. News sites run lots of ad networks to montetize their traffic so not surprisingly you're most likely to run into this on a news sites. It also happened to me on MacRumors too.

This issue also takes days to weeks for the ad networks to shut down because it's not always easy to figure out exactly how the redirect is getting into the network. What you see is a typical pattern. It happens like crazy for a day or two followed by a return to normal and then it comes back. This is the back and forth that goes on when the ad network is trying to isolate the breaches and deal with them.

This seems to only be affecting Safari. I can't say for sure why that would be, but I would suspect that because they're trying to deliver a Mac malware payload, it makes the most sense to only serve the attack when it detects that you're using Safari. Serving it to Chrome users would bring this up with mostly Windows users and because this isn't a very subtle attack, it's very easy to be detected and nullified so not wasting their opportunities trying to lure PC users would make sense.

If you didn't install anything, you're not infected.
[automerge]1583128724[/automerge]

As of right now I am no longer having the problem with Safari and CNN, but it can come and go, I read.

The reason why you're no longer having the problem is because the compromised ads have been blocked by whatever ad network that was serving them. Nothing you did to your computer actually did a thing.

It usually takes them some time to get this fully under control so don't be surprised if it flares up again only to go away and come back again. It doesn't mean you have anything wrong with your computer or browser.

This appears to only be targeting Safari so you can simply use another browser for a week or you can run an ad blocker for a week until it blows over. Unless you actually downloaded AND installed the package, you're fine.

 

[jtara]

I think they cast their net too widely. I think they are targeting Safari broadly without filtering iPhone/iPad where Flash is not a thing.

why I get a display of Javascript source code on iPad I dunno. These ads may not be the “flash installer” ads but sure seems suspicious AF. Not something I have ever seen before in iPhone/iPad CNN app.

best guess is CNN Backend or workflow has some filter that escapes Javascript code in some part of an ad’s source where it is not allowed - but only if serving to the iOS app.

why would they escape rather than just reject? I dunno.

 

[smirking]

best guess is CNN Backend or workflow has some filter that escapes Javascript code in some part of an ad’s source where it is not allowed - but only if serving to the iOS app.

why would they escape rather than just reject? I dunno.

It's not passing through CNN at all. It's coming through one of the ads carried on the page. I haven't been able to figure out which ad network it's coming over or if it might be coming over more than one.

Sites that are serving ads from the compromised ad network can't actually do anything about this short of ripping all code for that ad network out of their sites. They can only elect to not serve certain ads or ads from a certain advertiser to stop the influx of compromised ads, but that's a game of whack-a-mole until the ad network fixes whatever hole is being used to sneak in exploit code.

 

[johannnn]

https://twitter.com/i/web/status/1233627184507408384

Saw this thread linked from 1Blocker twitter.

I'd suggest installing 1Blocker!

 

[jerwin]

It hit nymag.com as well.

 

[corona19]

 

[smirking]

The ad network that appears to be serving up the redirects is DoubleClick. That's used far and wide so you're going to see this on a lot of major sites that serve lots of ads.

If you use Little Snitch, block all outbound Safari traffic to g.doubleclick.net and this issue will stop.

 

[smirking]

(No, I'm not in the powerrangers demographic. Have no reason to see the ad, so I don't care if it's a nostalgia play or something even less savory.)

I got the gogo-thepowerrangers-com domain too (in addition to some other ones). The domain has no relation to anything. It may even be an abandoned hacked website.

Whatever is hijacking the ad is also putting you through at least one additional redirect before you are delivered to the malware payload download page with the phony Adobe Flash download prompt. If you have logs you'll see at least one other domain that you're passing through before you end up at that power rangers domain.

 

[jerwin]

It's hit the new york times. Checking out an old column.

 

[smirking]

It's hit the new york times. Checking out an old column. View attachment 897116

It's going to intermittently hit every site that uses DoubleClick, which is virtually every site that serves display ads. It's hitting foreign sites too. It creates an effect like it's following you around, like an infection would, but it's not following you.

 

[BohemianSF]

THE FIX:

For anyone reading this to fix this issue, scroll up and look for my other posts about it. Something in that mix worked. I haven't had the issue at all in days.

 

[smirking]

For anyone reading this to fix this issue, scroll up and look for my other posts about it. Something in that mix worked. I haven't had the issue at all in days.

Those things you did didn’t do anything. The reason why the redirect stopped is because the source of the redirect in Doubleclick’s advertising network was finally plugged up. If it wasn’t you’ll start seeing it again at any moment.

 

[dallastigers]

The ad network that appears to be serving up the redirects is DoubleClick. That's used far and wide so you're going to see this on a lot of major sites that serve lots of ads.

If you use Little Snitch, block all outbound Safari traffic to g.doubleclick.net and this issue will stop.

Isn't double click connected to google?

Also does Little Snitch work with Catalina without having to override Default security (besides not being purchased from App Store) or giving full disk access?

Several apps I have downloaded outside of app stores at least attempt to get full access without a prompt (might be because I have security settings needing password), and even though I don't approve still seem to at least add files to system i didn't think they would be able to add. Edge put some stuff all in multiple places without an included uninstaller. It also had 1 or 2 helper programs not sandboxed along with app itself. Firefox app is also not sandboxed being a download outside App Store like Edge, but I haven't seen any of its helpers running that haven't been sandboxed yet.

 

[BohemianSF]

Those things you did didn’t do anything. The reason why the redirect stopped is because the source of the redirect in Doubleclick’s advertising network was finally plugged up. If it wasn’t you’ll start seeing it again at any moment.

A. I don't think you read anything I wrote or tried it. B. It stopped when I took the time to do all that -- I guess it was just a coincidence. C. You sure are rude and condescending. I doubt you'd be this much of an ass to anyone in person, but so be it. D. I thank you for reminding me how lucky I am to have the parents I did to raise me to never act as you do.

 

[smirking]

I doubt you'd be this much of an ass to anyone in person, but so be it. D. I thank you for reminding me how lucky I am to have the parents I did to raise me to never act as you do.

Excuse me, did I call you names as you're doing to me right now? How is that an example of the better parenting that you got?

I apologize for not taking the time to respond more gently, but I don't believe I said anything offensive. I will completely own up that I shouldn't have said that the things you did didn't work because it very well could have worked in your case.

However, some of the resources you linked to were not reputable and could potentially be harmful if other people tried those fixes. That's why I was so quick to push back on it.

I'm a Web developer. I also run servers. I live and breathe this kind of stuff. Redirect scripts are primitive and it's not terribly hard to write an injection script that redirects your browser to any site desired.

Redirect scripts being snuck into DoubleClick ads have been around for years. Like all things security related, the issue gets fixed, but the bad guys eventually figure out another way of sneaking an exploit in. You'll see it again and you might even see it soon.

 

[smirking]

Isn't double click connected to google?

Yeah. Google bought them years ago. I'm really not sure why they can't get a handle on it and why it takes them so long to do something about it everytime it happens except to say that the modern Web is far more complex than most people can imagine and nothing is as simple as it looks.

Also does Little Snitch work with Catalina without having to override Default security (besides not being purchased from App Store) or giving full disk access?

I'm not on Catalina yet so I don't know if it needs to override any default security settings and it has been a long time since I installed it so I can't even recall if it does it on Mojave. I can confirm that it doesn't need full disk access though. It's a network monitor. It just observes every incoming and outgoing connection that's initiated. It doesn't care at all what the disk is doing.

That said, I can't really recommend Little Snitch if your goal is to just have some peace of mind and not have to think too hard about what your computer is doing. It's quite a laborious tool to be using and I actually turn it off except for when I'm trying to identify a suspicious process. Most people will likely just get overwhelmed with the options and change the settings to the point that they're basically useless.

If you just want to get a quick look at how many other sources you're actually connecting with when you connect to a website, you can easily do that in any browser. In Safari, you activate Developer Mode, and "Show Web Inspector" from the Develop menu. That will yield a window like the screenshot below. Selecting the highlighted options and then reloading the page will give you a readout of every connection used in rendering that page.

Little Snitch does this in a more controlled manner and allows you to take control over which endpoints are allowed to receive information, but it's overwhelming to use as an everyday privacy tool.