I’ve been around long enough to recognize malware when I see it, and I still take lots of precautions to ensure that something doesn’t sneak by (I use OpenDNS, Web of Trust, NoScript, and Ghostery, for example) but a few moments ago, I was almost tricked by a malware site, and if it could happen to me, it could happen to someone who is less paranoid.
So I present this as a warning, a reminder, and a public service.
I thought I was going to youtube.com/geekandsundry to see if our Tabletop gag reel had been posted, yet. When I hit return, I saw this:
I haven’t heard of Flash Player Pro, but it looked real, and maybe this was some new stupid thing that I was going to get mad about, with YouTube forcing me to download some new version of software that I didn’t already have.
So that should have been my first warning: YouTube is never going to make it harder for me to get to see the stuff I want to see, because that would make it harder for YouTube to show me ads.
But I’m still waking up, so I clicked “accept and install”, and saw this:
Ah-ha! Evil malware people use .exe files because it’s easier to infect Windows than it is to infect OS X, and I understand that it’s fairly common for people to tick off a box in Windows that allows pretty much anything to install itself. You know, for convenience.
Well, I clicked CANCEL, and tried to figure out how my browser had taken me to this site, and how it had even gotten past all of my defenses to load itself.
It turns out that I’d typed youtuve.com, not youtube.com, and the bad guys had done the rest.
So be careful out there, kids, because not everyone online is a good guy.
Edit: Here’s the gag reel!
52 thoughts on “Be careful — I almost got fooled by malware”
My takeaway from this is that I should expect to see a Tabletop Tokaido gag reel shortly.
Yeah, Wil really buried the lead there.
But that nice Nigerian Prince is cool…right?
Oh yeah! He’s a stand-up guy. I’m going to retire as soon as the money is wired to my account. I’ve already told my boss to f*** himself. Can’t wait!
Me too! We should fly our private jets and meet up! Any day now…any day…
Well actually I have a deposit down an a nice boat. Only 134′, but it will do for starters. Maybe you can fly to Tahiti for the meet?
I’ve been seeing those everywhere the past few weeks now. Links off reputable sites even bring me to it. It’s getting around that’s for sure.
I’ve seen it, too. Argh.
snicker “…not everyone…” Heh. Almost no one.
“When the son of the deposed king of Nigeria e-mails you directly asking for help, you help!”
(By the way, don’t bother trying to replicate this. The URL has since been bought by the book store Barnes And Noble so you’ll just be taken to BN’s actual website.)
Point of fact: It’s a myth that it’s easier to infect Windows than it is to infect OS X. It’s easier to infect 3rd party applications meant to run on Windows framework than it is to infect OS X – of which there are many, many opportunities, but it is significantly easier to infect the OS X base operating system than it is to do so on Windows.
Source: I’m one of the world’s foremost experts on network and digital security. No, seriously.
Yeah. On this kind of attack, the malware people weren’t using an exe because Windows are easier to infect, but because it’s more likely that any random victim will be using Windows. If they had made a Mac version of their malware, you’d have been just as infected as on Windows, assuming you don’t notice in time.
It doesn’t matter what security any OS has when you can convince the user to let you through the front door.
DownThemAll! … AllYourBaseAreBelongToUs.
Thanks for the warning, Wil.
Just saw this on a PC a few days ago. In that case, they were redirected to the malware from a supposed Facebook video posted by a friend. You would think that this would be something that antivirus would block, but apparently not.
I have seen that same screen pop up due to ads on safe sites being hacked or encoded differently. It is certainly something to keep an eye out for.
Me too! I’ve gone to legitimate blogs, sites, etc and have seen the above malware page. I clicked it, but stopped once I saw the install screen & the URL.
Really? That it was downloading from get.sad234.info wasn’t the red flag to you?
My clues that it was hinky were that I haven’t seen anywhere that Adobe gives away “pro” versions, and the address it wanted to download from. But it’s so easy to not notice this stuff. Thanks for the warning.
The thing anyone should have picked up on here, is “sad234.info”. In no reality would Adobe, or any other developer, send you to such an obviously unrelated site to download anything of theirs.
That’s why I do Linux. I am not going to say that there is no malware, but there is less.
I got trapped by the “Update Your Flash” pop up the other day [obvious malware as I had updated Flash the day before directly from Adobe] – it wouldn’t even let me close my browser and I had to use task manager to do it.
It’s not just URL typos! I’ve seen this exact thing pop up when served by malicious advertisements – often times when visiting otherwise-legitimate web sites.
Even updating legitimate Flash has other crapware with it these days. It says it’s supposed to update automatically so I close the ‘reminder’ popups when they occur.
For many, many, many videos you don’t need Flash on Youtube.
It’s almost as bad as typing an extra “L” in wilwheaton.net
We just got some sort of Russian virus on work main server. Almost wiped us out. Thanks, for the info, Wil! I will add those links you shared to my weapons cache. 😉
yotube.com used to do it until recently as well.
Fortunately, a nice Nigerian deposed prince warned me about this… 🙂
More seriously, I’ve had this one pop up a few times. Always clicked away on the desktop and closed it down through windows task manager.
I’m usually pretty careful too, but I made an incredibly stupid mistake a few months ago when I meant to install the latest version of Firefox. I went to Google and clicked on the top result. Needless to say, it wasn’t actually the official site and I ended up having to do a system restore. Really kicked myself that time. My new rule: never try and download anything past two in the morning. I’m to sleep to make good decisions.
On Firefox, help/about, if there is an update available there is a button to install it right there. No googling necessary.
I thought OpenDNS had typo protection built in? Did they get rid of that?
Answering my own question – it looks like OpenDNS removed typo protection back in the summer. Frownface!
They removed the OpendDNS Guide (no longer needing the ad revenue) making themselves RFC compliant, which also removed the typo correction service as this was just an extension of the guide. Instead they are now blocking known pishing sites, but they still need to become aware of those sites in order to block them.
I’ve actually been taken to that by unscrupulous ads on some otherwise reputable sites. It just means that I’ve given in and am using ad blockers now.
If you Use Safari or Chrome you can Ignore such things as Phishing. At least on The Mac. On Windows, Using Chrome, you can also ignore such attempts, as Chrome uses it’s own Flash variant.
Web of Trust will have given you a stern warning before you got to click on anything on that site…..
I work in IT, and I see these kinds of fake updates all the time… it’s really quite sad.
We’re at a low point in the history of computing when you can’t even trust Adobe or Oracle not to install malware along with Reader or Java. And two days ago I downloaded a screen video capture utility to help out a friend and fell for the camouflaged “install something else along with what you wanted” trick. Clicked “Install”, didn’t look directly at the image and was fooled into thinking the click didn’t register. Did one of those things where time goes into slow motion, you tell your body to stop what it’s doing but your mind goes into shock when it realizes it can’t reverse your action in time and watch in horror while something bad happens. In this case, installed a browser hijacker. Normally I don’t use removal utilities and can remove even the worst virus manually in a relatively short time. This time I spent 10 hours and was still stumped. Chrome made it back from zombieland fairly quickly, but IE and Firefox were both still redirected to mystart.vi-view.com (DO NOT CLICK ON THAT OR EVER GO THERE FOLKS!!!!!) on start no matter what I did. Finally resorted to Spybot – Search & Destroy and AdwCleaner and was relieved to have success.
So yeah, even experts can have a weak, distracted moment and suffer from a moment’s inattention. Never let your guard down, and never download or install anything you don’t know everything about, and NEVER let anybody fool you into thinking your device has already been compromised and you need to install something to fix it. That is ALWAYS a scam.
While I’m on my soap box, NEVER, EVER use any of those utilities – even from well-known big names – that claim to automatically solve problems or make your device work better in any way. All they are is an extra layer of crap between your hardware and you. If it has to run constantly to “protect” you then it’s sitting there constantly spinning its wheels, hogging resources and creating conflicts. Any claims they make are outright lies. Don’t fall for it.
Thank you so much for not taking the cheap shot at the PC v Mac debate people love to fuel. I sincerely appreciate the information as a local computer retail/repair salesperson looking out for my average customer. This is definitely something everyone needs to read, even those who think they’re more savvy with a computer than most.
I wonder if this is what my mom is complaining about. I updated her flash from the adobe site last week. After that, a site she visits often told her she needed to update her flash. Now she is complaining that a popup keeps telling her she needs to be signed in as admin to ‘install this program’ every time she turns it on.
That’s why I set up her computer with a limited account for her to use for the web.
If your browser is leting you auto run .exe on download then its not doing its job… as far as I know none of the big 3 let you auto run .exe (or equiv.) on any platform, in fact some stop you from clicking the run button for 3 or so seconds just to make sure you read the box….
but good catching Wil and thanks for the PSA 🙂
Am I just too friday-night-at-work tired to be right or doesn’t youtube default to an HTML5 player rather than flash, pro or otherwise? Either way, it’s well past time for flash to go the way of realplayer and fuck off forever.
You missed using K9 Web Protection. It had the mistyped domain blocked and the malware EXE blocked.
“To get.sad, click here.” I imagine anyone who agrees to get sad would be sad. I wonder what the success rate is for get.happy234.info vis a vis get.sad234.info . Let’s not find out.
hey will Thanks For your Warning Buddyro about malware if you have any advice For me about other things Let me know.
Thanks for the tips, Wil. I didn’t know about WoT or Ghostery. NoScript doesn’t exist for Chrome, but it turns out the same functionality is built into Chrome itself, so I’ve turned that on as well. Feeling ever so slightly safer.
First People posting saying that Adobie and Oracle are installing the malware are clueless.. Adobie and Oracle are not installing malware, It’s other people that want to steal your information or use your computer to comit crimes there the ones that are setting fake sites to download the malware …
Wil, just as an FYI, It’s not the type of OS the user has that makes prevents them from getting malware it’s all on the User becuse i have seen whole Mac OSx systems Having to be compleatly wiped and reloaded.. and i have seen whole Windows systems come in so clean that it looks like it never touched the Internet. the One OS i never see any Malware problems is Linux and most likely its becuse the Linux comunitty is genruly of a smarter more Intelagent and insightfull Bread of people.
I’m not saying that you’re wrong about the .exe, just to be aware that malware can and will infect any device that has an internet contection and all they have to do is get on facebook or any site that has advertisements.
Thank you for sharing about the malware thingy. I am not my wisest when on a computer. It is just a tool for me to play and talk to the people I love, and do not really understand much about the machine except am sure there is a small robot residing somewhere in it’s bowels that likes to give me a raft of shit and drive me crazy. K
p.s. When is your show coming back on SciFi ? I miss my dose of laughter.
Comments are closed.