Participant

Question

Beware of fake Flash Player update on OSX

Forum|Forum|7 years ago
April 12, 2018
8 replies
71201 views

While reading the morning paper on my MacBook Pro, a popup appeared telling me to update to the latest version of Flash Player. I clicked to downloaded the dmg file, and noticed it was downloading from fpsdz.aspirinqueen.win. Needless to say, this does not appear to be an Adobe site so I did not install it. The popup looked very official, and I could find no other reports about downloads from asprinqueen.win, so I assume this is a fairly new fake install dmg.

This topic has been closed for replies.

jeromiec83223024

Community Manager

This thread has gone circular, and I'm going to lock it.

If you've encountered a site offering fake Flash Player downloads, please send a screenshot and a fully copy of the URL(s) involved to phishing@adobe.com.

Our phishing team will follow up with appropriate actions on the website side of things. In general, it's better to avoid posting malicious links to the forums. We don't want anyone accidentally clicking them, and the more sophisticated delivery mechanisms engineer the URLs for one-time use (it's hard to serve a takedown notice if you can't show someone that the URL is delivering malware).

The US Federal Trade Commission has some good advice on avoiding malware in general:

https://www.consumer.ftc.gov/articles/0011-malware

https://support.microsoft.com/en-us/kb/129972

Heres the advice that I typically share to people that were either tricked into installing malware, or are seeing fake update notifications, but haven't been lured into actually running those installers:

Unfortunately, because Flash Player is installed on billions of computers, it's a common target for impersonation for people distributing malware.

As an industry, we've done a pretty good job of defending against technical attacks that allow bad guys to install software without your authorization. In 2018, it's really difficult to do (assuming you're running a modern operating system and not something from 2005, in which case, you should get on that).

The result is that human factors are now the path of least resistance. It's easier to trick you into installing something on behalf of the attacker, vs. figuring out how to defeat all of the security stuff required to do it without your express permission.

In general, you're better off setting everything to update automatically. You can then go through life assuming that any update notifications you get are bogus. This is actually what we strongly recommend, and it generally applies to anything tasked with handing untrusted communication (the operating system, your web browser, flash player, etc.). The inconvenience of something functional breaking because of an update pales in comparison to the pain of recovering from identity theft.

Here are a few guidelines that will minimize your risk of getting tricked into installing malware:

- Wherever possible, use your operating system's App Store for downloading and updating software

- When software you want (like Flash Player) isn't available from the App Store for your operating system, always navigate directly to the vendor's website. If you need to search for the download, that's cool -- but avoid "download" sites, and find the vendor's actual download link

- Never download stuff from a link in an email or update dialog. Type it in. It's easy to disguise fake URLs in links using internationalized characters and things (e is not the same as è, but it might be really easy to miss if you're not looking closely). If it's a link from a URL shortener service like tinyurl.com/abcde or bit.ly/abcde, you don't know what the end result is going to be, and you're probably wise to just head to Google to find what you need instead.

- When the software offers automatic updates, just turn them on and stop worrying about maintaining all the moving parts running on your computer. The threat landscape is so much different than it was 10-15 years ago. Enable updates so that you're getting critical patches as soon as they become available. Be confident that any subsequent update notifications are probably fake, and act accordingly (either ignore them, or consult the vendor for guidance before doing anything).

For Flash Player specifically:

Always download Flash Player from here: https://get.adobe.com/flashplayer/

When you install, choose the default option of "Allow Adobe to Install Updates (recommended)", and we'll keep it updated for you.

Google Chrome ships Flash Player as a built-in component, and keeps it updated automatically. There's nothing separate to download, install or configure.

Microsoft Edge and Internet Explorer on Windows 8 and higher also include Flash Player as a built-in component of their browser, and updates are handled automatically through Windows Update. Again, as long as Windows Update is enabled, there's nothing to download or configure.

If you've actually installed malware on your machine:

There is a large universe of unknown unknowns, but the important thing to know is that malware authors at this point are professionals. They test against popular antivirus and cleanup tools. Good malware is going to first establish a foothold, but the second order of business would be to ensure resilience. If you've run cleanup tools and have removed the obvious visible signs of the malware infection, that may be adequate, but you're putting a lot of faith into the efficacy of those tools. In most situations, it's difficult to determine whether or not you've eradicated everything that was installed, and you should weigh those risks carefully. Without significants expertise, and/or an exhaustive and expensive forensic analysis, there are no guarantees.

If it were me, I'd probably back up all of the critical data on the machine and then burn the whole thing down and start from scratch (i.e. format the hard disk, reinstall the operating system and applications from pristine sources, install a reputable antivirus utility, scan my backups and then restore them. I'd then go buy a password manager like LastPass/OnePass/KeyPass/etc. and set about ensuring that I have unique, strong passwords for each of the important online services that I use (including any email services that could be used to reset those passwords), and set up two-factor authentication wherever it's offered.

Test Screen Name

Legend

Please bear in mind that a fake update notification doesn't mean YOU are infected. It means the WEB SITE is infected. Ignore the message, and don't go to that site again.

Mrs__DuBois

Participant

If this "fake" flash update has been installed, what to do?

[link removed]

Test Screen Name

Legend

The Flash might be perfectly fine, or not, but the fake will have installed all sorts of other things, from unwanted advertising to apps that steal your credit card and personal info, or threaten blackmail. Do not use the computer! Best to wipe the computer and start over. This will lose EVERYTHING on it, but if you have good backups you can use them. If this sounds too much for you seek professional advice on the computer now.

barbarad45047809

Participant

Is this real or fake?

I have Windows 10 and Chrome

Adobe - Install Adobe Flash Player

jeromiec83223024

Community Manager

That's an Adobe link, but to a very specific download. It's taking you to the Flash Player variant for Firefox.

You can always go here from the browser you want to use Flash Player on and we'll serve you the right download or tell you that it's built-in, etc:

https://get.adobe.com/flashplayer/

barbarad45047809

Participant

There *is* a notification option for updates that would cause a dedicated window to open and encourage you to update. It's not the default option, and we don't recommend it -- specifically because bad actors target users through update notifications. Using a pop-up window in the web browser is usually the method perferred by bad actors, although modern browsers do a good job of restricting pop-up windows for the most part.

If you go to Control Panel > Flash Player > Updates and you see "Notify me to install updates" is selected, that would confirm that your system is configured to show those legitimate update dialogs. The link you shared was a real link, so that would make sense. If you primarily use Chrome, but you installed Flash Player for Firefox (or maybe for Adobe Acrobat) at some point, that would explain why you're getting the pop-up notification to update the NPAPI Flash Player variant.

Instead of trusting the pop-up, you can just initiate the update from the control panel by choosing "Install Now", which would allow you to avoid interacting with any pop-ups. The update screen will also enumerate a list of the Flash Player variants you have installed and their versions. We shipped an update yesterday, so the current version is 30.0.0.154.

I'd also highly recommend just setting that update preference to "Allow Adobe to install updates...", so that you're not wondering about whether your Flash Player is current, and/or if a pop-up dialog is legitimate.

Then I get this after I click on the Grey flash puzzle piece. Doesnt look

good. Should I continue?

On Wed, Aug 15, 2018 at 1:20 PM jeromiec83223024 <forums_noreply@adobe.com>

michaelryan55

Participant

I have also experienced this on my Mac recently. I'm fairly tech savvy and don't know how I was redirected to this site, but nonetheless the fake update .dmg file was downloaded automatically. I deleted the file without mounting the disk image so I imagine that I am safe, but I wanted to put the website URL as well as the download URL out there so Adobe can possibly help get this taken down.

The website URL with the fake update notification: [link removed]

If I look in the Finder the download details for the .dmg file also shows [link removed]

Here is a screen shot of the landing page with the bogus update notification:

Since I deleted the .dmg without mounting I imagine I am in the clear, but is there anything I should be concerned about on my end? Thanks!

_maria_

Community Manager

Thank you. I have forwarded the information to the appropriate team. In the future, feel free to report directly to phishing@adobe.com or abuse@adobe.com

justinl87221205

Participant

Well there is something very wrong with The Flash Player. I have had the same thing posted here as well as pop up in the browser that claim my PC has a virus.

I can get rid of the Flash Player, and for weeks on end it is all good. and then either I get the You need to update your flash player which automatically downloads the Bugged Version or I get the Pop up telling me I ave a virus.

It is not just OSX/Mac's but in windows and other Operating systems as well. every web site is not spared. even the National weather service (NWS.NOAA.GOV).

Reformatting only does the same as if I deleted the folder or Bugged Item.

I hope this can be looked into much more and maybe investigated. I have noticed (which Might not be related or have any connection to) that my Yahoo Email account had strange Log Ins from areas in which I was no where near. - I live in the midwest and the l;og ins came from Washington,Dc

jeromiec83223024

Community Manager

Software and operating system-based controls have improved significantly over the last few years, making it extremely difficult to install software without a users' permission.

Human factors are now the path of least resistance. Since Flash Player is ubiquitous, it's the go-to for impersonation. It's way easier to get you to enter your password for a fake update than it is to install something silently without your knowledge.

Furthermore, Adobe has invested massive amounts of engineering resources to ensure that downloads that you get from us are authentic and unmodified. The entire release and build process is tightly controlled and monitored end-to-end. There are technical and procedural checks from multiple disparate teams, and we use cryptographic digital signatures (the keys to which are also tightly controlled) to certify that those builds are authentic. You can actually check binaries to ensure that they're legitimate and from us, should you choose. I'm confident that any installers that you're getting that contain malware aren't from us.

It's definitely possible for an attacker to take a legitimate copy of Flash Player, bundle it with malware and release it, but it won't be signed as coming from Adobe Systems Incorporated, and it won't be served from one of our servers.

Since you're getting malware repeatedly, either you're getting tricked repeatedly by fake update dialogs, you're not really getting rid of the infection in the first place, or you're restoring a backup that's already infected. I'll give you some guidance on how to avoid all of those and get back to a truly pristine state.

Also, it's worth pointing out that the malware guys are smart. We're way past the days of bored kids in basements. Once an attacker has established a foothold on the system, they're going to ensure that the infection is resilient (the bad guys test against all the popular anti-virus and clean products, too), and they also have automatic updates. Virus scanners and cleanup tools are trailing-edge solutions. Hundreds of thousands of malware variants are generated daily. It's a cat-and-mouse game, but the attackers have the edge if they can keep ahead of the anti-virus guys.

So, it's pretty likely that any clean-up effort you've taken has been incomplete. You may have dealt with the visible symptoms, but unless you're really going to do a comprehensive forensic analysis of the system, there are no guarantees.

Given the amount of headache you've had so far, if it were me, I would go very methodically, burning the entire system down, starting from pristine sources and removing any candidates for persistent infection vectors.

Here's what I'd recommend:

Update the firmware on your router. Ideally, from a known-good computer.

There's a widely publicized vulnerability in many commodity wifi routers that allows an attacker to put exploit code in the working memory of the router. The code allows the attacker to inject code into webpages that you load. If you guessed that this manifests as fake Flash Player update dialogs, you guessed right.

If you can't remember the last time you updated your router's firmware, or if you've never done that, there's a good chance that this might be why you're seeing update dialogs on websites all the time. Simply unplugging the router for a few seconds and plugging it back in should be enough to restore it to normal working order temporarily. Applying any pending firmware updates should prevent the infection from recurring.
If you use portable USB memory sticks, copy off any files that are important and then take a hammer to them.

It's possible to infect the firmware on USB memory sticks in a way that allows an attacker to store exploit code on the actual device hardware. It's invisible to you from the operating system. If you're using USB sticks regularly to transfer files, that may be what's happening. *Especially* if you're using them on any shared machines, like computer lab systems, internet cafes, etc...

Either switch to some cloud storage solution (e.g. Creative/Document Cloud, iCould, Google Drive, Dropbox, Box, etc.) or get an actual portable USB hard disk. There are really small portable SSD drives that work the same way, but aren't persistent vectors for infection.

Take a hammer to those USB sticks when you're done. It will remove the temptation to use them in a pinch, and it will be cathartic.
Back up any important data files, if you haven't done so already.

Because you can't get rid of this infection, its time for a "salt the earth" strategy. We want to burn it all down and start over from pristine sources. If your backups allow you to restore only the important data files (the actual pictures and documents, etc.) great.

What we specifically don't wan to do, is to restore all of the operating system and application files that you've backed up, as there's a good chance that an attacker has one or more malicious binaries planted on the filesystem. If you can restore just your data files, great. If not, go get a portable hard drive (*not* a USB stick) and copy all of your important files over so that we can restore just those things later in the process.
Delete all of the data from your startup disk and reinstall MacOS

Disconnect your portable hard disk from the computer so that you don't accidentally erase it, and then follow the directions below to erase all of the data on the disk

How to reinstall macOS - Apple Support
Apply any pending MacOS updates at startup.

Also, make sure you're running the latest available OS version.
Download and install a reputable, brand-name virus scanner. Make sure that it's up-to-date before proceeding.
Reinstall your applications

Download and install all of your applications again. Where possible, get them from the App Store. Where that's not possible (e.g. Flash Player), download it directly from the vendor. If you got it from a torrent site, well, you might consider paying for it to ensure that it didn't come with "extras" that you might not want.

You can get Flash Player here:
https://get.adobe.com/flashplayer
Take a snapshot of the machine

Now that you've got the machine mostly configured how you like it, and in a trustworthy state, this is a good time to make a baseline backup. If you end up with the infection again, you can confidently restore and save yourself a couple hours of work.
Scan your old backups.

Ideally, your AntiVirus has something like "on-access scan", where it's scanning all of the files that you copy on the fly. It should be on by default, but it's worth a check. It's a good safeguard against copying over anything that's infected at this stage.

Attach your backup disk and scan it with your antivirus utility.
Restore just your data files

Copy over only the actual data you need (documents, pictures, videos, etc.)
Make sure Flash Player is enabled in your browser, if you want to use it. As the browsers make it more difficult to run Flash, you may have it installed, but need to enable it in the browser. This may cause some sites to tell you to install or update Flash.

The goal is to get you to a place where you're confident in just ignoring update notifications on websites.

https://helpx.adobe.com/flash-player/kb/install-flash-player-windows.html
https://helpx.adobe.com/flash-player/kb/flash-player-issues-windows-10-ie.html
https://helpx.adobe.com/flash-player/kb/flash-player-issues-windows-10-edge.html
https://support.mozilla.org/en-US/kb/why-do-i-have-click-activate-plugins
https://helpx.adobe.com/flash-player/kb/enabling-flash-player-safari.html
https://support.google.com/chrome/answer/6258784
https://helpx.adobe.com/flash-player/kb/enabling-flash-player-opera.html.

That should get you back to a state where you can really trust the machine again.

Once you're there, then it's important to avoid future infections.

Enable Automatic Updates for anything that processes untrusted data.

Namely, the Operating System, Anti Virus, browsers and Flash Player. It's critical that you're getting updates for the products consistently and quickly.

Attackers are very sophisticated, and we can measure the time between when a security patch is shipped to the public and when attackers have reverse-engineered the binary patch and start attacking unpatched clients with a weaponized exploit. It's generally measured in weeks or days, not months or years.

The bottom line is that Automatic updates are necessary in 2018. Just enable them. The inconvenience of the occasional functional problem pales in comparison to what you're going through currently.
Don't follow links on websites or email to updates, and always download installers directly from the App Store or vendor.

Just don't follow links or pop-up notifications. It's easy to make legitimate-looking notifications. Be skeptical.

If you have automatic updates enabled and something tells you to update, your odds are high that it's bogus. Wherever possible, just download applications from your operating system's App Store. They'll handle updates.

If you really think you need an update, open a new window and google for the product. Make sure you're going to the developer's website and not to some random download site. Download any software directly from the vendor and install it there.
(Optional) Use a browser with Flash Player Built-In

Both Google Chrome (for all operating systems) and IE and Edge on Win8 and higher include Flash Player as a built-in component of the browser. There's nothing separate to install or maintain. That means that you can really ignore anything that tells you to install or update Flash.

In those instances, Google Chrome and Windows Update ensure that Flash Player is always up-to-date. Also, if you really don't trust our distribution pipeline, those bits are vetted and distributed directly by the respective vendors.
Stay away from sketchy sites

Nothing is free. If you're not paying, you're the product. When it's Facebook, they're selling your information. When it's something less reputable, they might be selling something like control over your computer. Nobody is compromising your machine for fun. They're getting paid.
Get a password manager, rotate all of your passwords, and use two-factor authentication

If people are logging into your email and stuff, that password you're using has leaked. It's not uncommon for malware to install keystroke loggers to capture valuable information like your credentials. I think it's pretty safe to assume, given what you've been going through, that your credentials are all thoroughly compromised.

In the world of daily breach announcements, you really want a unique password for each site that you use, and wherever possible, you should enable two-factor authentication wherever possible.

Unique passwords limits the damage done by any individual breach. You don't want a password breach on that hobby forum to grant some guy in the Ukraine access to your bank account.

Two factor authentication ensures that even if a bad guy has your password, they also need control of your phone in order to do anything with it. You want this.

Also, don't use those credentials from any machine that you can't confidently trust. If your other machines have been compromised or keep getting compromised, limit your use of anything important to the one machine you do trust, until you can work through everything and get it all back to a trustworthy state.

If you want to get really fancy, you can always verify that an application has been digitally signed. On MacOS, you can also look to see where a file was downloaded from, by looking at the file File Info. Similar techniques exist for Windows as well. They're a little involved, and a quick google for "Validating code signatures for <insert operating system>" will probably serve you well. Personally, just enabling automatic updates is a whole lot easier.

This general advice holds true for your other machines as well. There's a reason that when we teach people how to compromise machines, we start them out on WinXP and Vista. If you have aging operating systems running on your network, it's a good time to give some serious thought to retiring them. Run a modern operating system, keep it patched, and if it's been infected, just burn the thing down and start from pristine sources.

In the event that you run into a malicious installer or installation dialog, we have a team that pursues action against those sites. If you can grab a screenshot and the full URL of the download or the update window, just shoot an email to phishing@adobe.com or fraud@adobe.com, and we'll be happy to pursue a takedown on those.

Thanks!

justinl87221205

Participant

Well I can say for sure I am not being tricked, it seems to automatically download it even if I destroy the folder so far it has been one full day. I have formatted my PC 3 times in the last 4 month's so, I do know that it seems to happen more when I Have MS updates.

I will have to check the firm ware on the router, that could be, but Cough we have Three router's all running into each other. I mean maybe that is the problem?we have had some people somehow getting into our WiFi and using it at night just by parking outside our house. so that is why we have Three of them., thogh that may actually be where the issue is. too many router's. could that be?

jeromiec83223024

Community Manager

Also, we have a team that pursues takedown actions against sites like this.

If you can copy and paste the entire URL from the address bar, and include a screenshot, that gives them the evidence they need to move forward with those things pretty quickly. Those messages are often hidden behind an address with a long random token, and we can't necessarily reproduce them without having the entire address. In general, we need to be able to prove that malicious behavior is happening in order to justify the takedown requests.

daleb46911678Author

Participant

I have no idea what the url of the popup was, but the install file that was downloaded is named "Adobe Flash Player.dmg". When I do a "Get Info" on this file, it says the file was downloaded from this url

[link removed]

jeromiec83223024

Community Manager

Oh, that's killer. I totally forgot that you can do that. I'll definitely keep that trick in mind in the future.

Thanks for passing this along!

_maria_

Community Manager

Hi,

Yes, that is definitely fake update notification. I'll forward the domain to the security/fraud team. In the future, feel free to report the incident directly to phishing@adobe.com or abuse@adobe.com

Maria