While reading the morning paper on my MacBook Pro, a popup appeared telling me to update to the latest version of Flash Player. I clicked to downloaded the dmg file, and noticed it was downloading from fpsdz.aspirinqueen.win. Needless to say, this does not appear to be an Adobe site so I did not install it. The popup looked very official, and I could find no other reports about downloads from asprinqueen.win, so I assume this is a fairly new fake install dmg.
A page automatically redirected to this fake Flash Update web page.
Go get 'em!
Thanks for the report. I've forwarded along to our Phishing team.
Got another one here, have had a few with drive by downloads but this one just prompted to download the "update"
LINK [link removed]
Thanks for posting the link. It's definitely fake. I'll forward to the fraud team for follow-up. In the future, feel free to report directly to firstname.lastname@example.org
Note: Adobe's North American offices are closed through January 1, 2019. Replies from staff members will be delayed.
Also, we have a team that pursues takedown actions against sites like this.
If you can copy and paste the entire URL from the address bar, and include a screenshot, that gives them the evidence they need to move forward with those things pretty quickly. Those messages are often hidden behind an address with a long random token, and we can't necessarily reproduce them without having the entire address. In general, we need to be able to prove that malicious behavior is happening in order to justify the takedown requests.
I have no idea what the url of the popup was, but the install file that was downloaded is named "Adobe Flash Player.dmg". When I do a "Get Info" on this file, it says the file was downloaded from this url
Oh, that's killer. I totally forgot that you can do that. I'll definitely keep that trick in mind in the future.
Thanks for passing this along!
Well there is something very wrong with The Flash Player. I have had the same thing posted here as well as pop up in the browser that claim my PC has a virus.
I can get rid of the Flash Player, and for weeks on end it is all good. and then either I get the You need to update your flash player which automatically downloads the Bugged Version or I get the Pop up telling me I ave a virus.
It is not just OSX/Mac's but in windows and other Operating systems as well. every web site is not spared. even the National weather service (NWS.NOAA.GOV).
Reformatting only does the same as if I deleted the folder or Bugged Item.
I hope this can be looked into much more and maybe investigated. I have noticed (which Might not be related or have any connection to) that my Yahoo Email account had strange Log Ins from areas in which I was no where near. - I live in the midwest and the l;og ins came from Washington,Dc
Software and operating system-based controls have improved significantly over the last few years, making it extremely difficult to install software without a users' permission.
Human factors are now the path of least resistance. Since Flash Player is ubiquitous, it's the go-to for impersonation. It's way easier to get you to enter your password for a fake update than it is to install something silently without your knowledge.
Furthermore, Adobe has invested massive amounts of engineering resources to ensure that downloads that you get from us are authentic and unmodified. The entire release and build process is tightly controlled and monitored end-to-end. There are technical and procedural checks from multiple disparate teams, and we use cryptographic digital signatures (the keys to which are also tightly controlled) to certify that those builds are authentic. You can actually check binaries to ensure that they're legitimate and from us, should you choose. I'm confident that any installers that you're getting that contain malware aren't from us.
It's definitely possible for an attacker to take a legitimate copy of Flash Player, bundle it with malware and release it, but it won't be signed as coming from Adobe Systems Incorporated, and it won't be served from one of our servers.
Since you're getting malware repeatedly, either you're getting tricked repeatedly by fake update dialogs, you're not really getting rid of the infection in the first place, or you're restoring a backup that's already infected. I'll give you some guidance on how to avoid all of those and get back to a truly pristine state.
Also, it's worth pointing out that the malware guys are smart. We're way past the days of bored kids in basements. Once an attacker has established a foothold on the system, they're going to ensure that the infection is resilient (the bad guys test against all the popular anti-virus and clean products, too), and they also have automatic updates. Virus scanners and cleanup tools are trailing-edge solutions. Hundreds of thousands of malware variants are generated daily. It's a cat-and-mouse game, but the attackers have the edge if they can keep ahead of the anti-virus guys.
So, it's pretty likely that any clean-up effort you've taken has been incomplete. You may have dealt with the visible symptoms, but unless you're really going to do a comprehensive forensic analysis of the system, there are no guarantees.
Given the amount of headache you've had so far, if it were me, I would go very methodically, burning the entire system down, starting from pristine sources and removing any candidates for persistent infection vectors.
Here's what I'd recommend:
That should get you back to a state where you can really trust the machine again.
Once you're there, then it's important to avoid future infections.
If you want to get really fancy, you can always verify that an application has been digitally signed. On MacOS, you can also look to see where a file was downloaded from, by looking at the file File Info. Similar techniques exist for Windows as well. They're a little involved, and a quick google for "Validating code signatures for <insert operating system>" will probably serve you well. Personally, just enabling automatic updates is a whole lot easier.
This general advice holds true for your other machines as well. There's a reason that when we teach people how to compromise machines, we start them out on WinXP and Vista. If you have aging operating systems running on your network, it's a good time to give some serious thought to retiring them. Run a modern operating system, keep it patched, and if it's been infected, just burn the thing down and start from pristine sources.
In the event that you run into a malicious installer or installation dialog, we have a team that pursues action against those sites. If you can grab a screenshot and the full URL of the download or the update window, just shoot an email to email@example.com or firstname.lastname@example.org, and we'll be happy to pursue a takedown on those.
Well I can say for sure I am not being tricked, it seems to automatically download it even if I destroy the folder so far it has been one full day. I have formatted my PC 3 times in the last 4 month's so, I do know that it seems to happen more when I Have MS updates.
I will have to check the firm ware on the router, that could be, but Cough we have Three router's all running into each other. I mean maybe that is the problem?we have had some people somehow getting into our WiFi and using it at night just by parking outside our house. so that is why we have Three of them., thogh that may actually be where the issue is. too many router's. could that be?
Here's the thing. Windows Update isn't sending you viruses. Neither is Adobe. Furthermore, the auto-update mechanisms employed by both companies use cryptographic checks at multiple places to ensure that nobody is substituting out auto-update payloads on the fly. They're heavily scrutinized. Also, correlation is not causation.
The bottom line is that it sounds like you have a big mess on your hands.
You've had a malware infection and one more more of your machines is compromised. What's worse, is that your machines regularly get reinfected.
That's not normal.
You're either not getting the infection cleaned up in the first place, or you're doing something to reinfect yourself repeatedly.
The fact that someone sitting on the street can get on your network seems problematic.
The fact that you have three routers isn't magically going to make your machines be infected with malware. If one or more of those routers is compromised, it may be able to redirect requests to sites that are malicious. This means that you might be encountering opportunities to infect yourself more frequently than the average person. If you're not keeping your machines patched, it's pretty easy to just park in front of your house and let a script run to scan for and infect everything vulnerable on the network. It doesn't even take skill.
You're either going to need to pay someone to come clean it all up, or you're going to have to get really serious and just take everything off the network, pick a machine, hook it directly to your cable modem or whatever, and get it into a known-good state. Once you have one trusted piece of hardware, then you get to go through every single thing, one at a time, and make sure it's clean and trusted before you stick it on a network with anything else.
If you don't go through the tedious, methodical process, there's no guarantee that you'll ever get it cleaned up.
There's also good reason to look at your habits. Cleaning things up and getting (and keeping) them current is a crucial first step. Keeping your network malware free comes down to all those little decisions where you have to choose between security and convenience/cost.
Constant problem in last few months. Tried all the recommended deletions, ended up messing up my Adobe DC installation. Final installed Adobe Flash from Adobe website, then a few minutes later got the message that I have lots of viruses. Hope adobe can do something about this, or Apple, it seems more frequent on Safari. I am going to try switching to firefox, see what happens. Here is the latest link that I just received
Dangerous link removed... Moderator
This is the ONLY link to Get Flash Player https://get.adobe.com/flashplayer
I have also experienced this on my Mac recently. I'm fairly tech savvy and don't know how I was redirected to this site, but nonetheless the fake update .dmg file was downloaded automatically. I deleted the file without mounting the disk image so I imagine that I am safe, but I wanted to put the website URL as well as the download URL out there so Adobe can possibly help get this taken down.
The website URL with the fake update notification: [link removed]
Here is a screen shot of the landing page with the bogus update notification:
Since I deleted the .dmg without mounting I imagine I am in the clear, but is there anything I should be concerned about on my end? Thanks!
It sounds like you did the right thing (noticing that the download was bogus and deleting it), and it's extremely unlikely that just downloading the file did any harm to the system.
The reason that this kind of approach is so prevalent is because the browsers, operating system and Flash Player have made it very difficult to take control of the system without your explicit permission (i.e. you need to enter your password to install software, etc.). It's far easier to trick someone into giving explicit permission to install malware than it is to silently install it.
Following best practices like running a reputable anti-virus program, and making sure that you have automatic updates enabled for the OS, browser and Flash Player is always wise, even on Mac.
Thank you for the help. I also sent the details along to the email@example.com email address as well. Everything seems just fine with the computer so far. Nothing was installed so I'm not too worried about it about it. The more worrisome thing is why I served the bogus ad on a new computer, on my home network. I get some random redirects at times on my mobile devices (via the cellular network) but never really on my home network. Kind of weird. Just wanted to add my two cents to this thread.
In general, it's usually an issue where an attacker managed to insert malicious code on the content provider's page. Examples would be things like sneaking a malicious banner ad on to an ad distribution network, or maybe figuring out how to insert code into the comments on a page, where they're actually allowed to get executed.
There's an interesting class of attack that targets home routers with a particular vulnerability, which allows attackers to store and execute code in the router's memory. This kind of vulnerability doesn't survive a reboot, so you could just unplug the router and plug it back in to temporarily solve the issue. Then you could just make sure that you have the latest firmware installed on your router to prevent future infection. Those kinds of vulnerabilities typically get used to insert similar fake update notifications into otherwise reputable webpages.
The important part here is that you just shouldn't trust links on webpages that tell you to update. If you think you need an update, go google for it and find an authoritative link from the software vendor (or use the app store, where applicable). If you set your stuff to update automatically (which we'd highly recommend), then you can be pretty confident that any update notifications should be ignored (for software that you've set to automatically update).
That's an Adobe link, but to a very specific download. It's taking you to the Flash Player variant for Firefox.
You can always go here from the browser you want to use Flash Player on and we'll serve you the right download or tell you that it's built-in, etc:
Hmm. I don’t use Firefox.
I use chrome and thought flash player updates automatically with chrome. Yes?