Also, we have a team that pursues takedown actions against sites like this.
If you can copy and paste the entire URL from the address bar, and include a screenshot, that gives them the evidence they need to move forward with those things pretty quickly. Those messages are often hidden behind an address with a long random token, and we can't necessarily reproduce them without having the entire address. In general, we need to be able to prove that malicious behavior is happening in order to justify the takedown requests.
I have no idea what the url of the popup was, but the install file that was downloaded is named "Adobe Flash Player.dmg". When I do a "Get Info" on this file, it says the file was downloaded from this url
Oh, that's killer. I totally forgot that you can do that. I'll definitely keep that trick in mind in the future.
Thanks for passing this along!
Well there is something very wrong with The Flash Player. I have had the same thing posted here as well as pop up in the browser that claim my PC has a virus.
I can get rid of the Flash Player, and for weeks on end it is all good. and then either I get the You need to update your flash player which automatically downloads the Bugged Version or I get the Pop up telling me I ave a virus.
It is not just OSX/Mac's but in windows and other Operating systems as well. every web site is not spared. even the National weather service (NWS.NOAA.GOV).
Reformatting only does the same as if I deleted the folder or Bugged Item.
I hope this can be looked into much more and maybe investigated. I have noticed (which Might not be related or have any connection to) that my Yahoo Email account had strange Log Ins from areas in which I was no where near. - I live in the midwest and the l;og ins came from Washington,Dc
Software and operating system-based controls have improved significantly over the last few years, making it extremely difficult to install software without a users' permission.
Human factors are now the path of least resistance. Since Flash Player is ubiquitous, it's the go-to for impersonation. It's way easier to get you to enter your password for a fake update than it is to install something silently without your knowledge.
Furthermore, Adobe has invested massive amounts of engineering resources to ensure that downloads that you get from us are authentic and unmodified. The entire release and build process is tightly controlled and monitored end-to-end. There are technical and procedural checks from multiple disparate teams, and we use cryptographic digital signatures (the keys to which are also tightly controlled) to certify that those builds are authentic. You can actually check binaries to ensure that they're legitimate and from us, should you choose. I'm confident that any installers that you're getting that contain malware aren't from us.
It's definitely possible for an attacker to take a legitimate copy of Flash Player, bundle it with malware and release it, but it won't be signed as coming from Adobe Systems Incorporated, and it won't be served from one of our servers.
Since you're getting malware repeatedly, either you're getting tricked repeatedly by fake update dialogs, you're not really getting rid of the infection in the first place, or you're restoring a backup that's already infected. I'll give you some guidance on how to avoid all of those and get back to a truly pristine state.
Also, it's worth pointing out that the malware guys are smart. We're way past the days of bored kids in basements. Once an attacker has established a foothold on the system, they're going to ensure that the infection is resilient (the bad guys test against all the popular anti-virus and clean products, too), and they also have automatic updates. Virus scanners and cleanup tools are trailing-edge solutions. Hundreds of thousands of malware variants are generated daily. It's a cat-and-mouse game, but the attackers have the edge if they can keep ahead of the anti-virus guys.
So, it's pretty likely that any clean-up effort you've taken has been incomplete. You may have dealt with the visible symptoms, but unless you're really going to do a comprehensive forensic analysis of the system, there are no guarantees.
Given the amount of headache you've had so far, if it were me, I would go very methodically, burning the entire system down, starting from pristine sources and removing any candidates for persistent infection vectors.
Here's what I'd recommend:
- Update the firmware on your router. Ideally, from a known-good computer.
There's a widely publicized vulnerability in many commodity wifi routers that allows an attacker to put exploit code in the working memory of the router. The code allows the attacker to inject code into webpages that you load. If you guessed that this manifests as fake Flash Player update dialogs, you guessed right.
If you can't remember the last time you updated your router's firmware, or if you've never done that, there's a good chance that this might be why you're seeing update dialogs on websites all the time. Simply unplugging the router for a few seconds and plugging it back in should be enough to restore it to normal working order temporarily. Applying any pending firmware updates should prevent the infection from recurring.
- If you use portable USB memory sticks, copy off any files that are important and then take a hammer to them.
It's possible to infect the firmware on USB memory sticks in a way that allows an attacker to store exploit code on the actual device hardware. It's invisible to you from the operating system. If you're using USB sticks regularly to transfer files, that may be what's happening. *Especially* if you're using them on any shared machines, like computer lab systems, internet cafes, etc...
Either switch to some cloud storage solution (e.g. Creative/Document Cloud, iCould, Google Drive, Dropbox, Box, etc.) or get an actual portable USB hard disk. There are really small portable SSD drives that work the same way, but aren't persistent vectors for infection.
Take a hammer to those USB sticks when you're done. It will remove the temptation to use them in a pinch, and it will be cathartic.
- Back up any important data files, if you haven't done so already.
Because you can't get rid of this infection, its time for a "salt the earth" strategy. We want to burn it all down and start over from pristine sources. If your backups allow you to restore only the important data files (the actual pictures and documents, etc.) great.
What we specifically don't wan to do, is to restore all of the operating system and application files that you've backed up, as there's a good chance that an attacker has one or more malicious binaries planted on the filesystem. If you can restore just your data files, great. If not, go get a portable hard drive (*not* a USB stick) and copy all of your important files over so that we can restore just those things later in the process.
- Delete all of the data from your startup disk and reinstall MacOS
Disconnect your portable hard disk from the computer so that you don't accidentally erase it, and then follow the directions below to erase all of the data on the disk
How to reinstall macOS - Apple Support
- Apply any pending MacOS updates at startup.
Also, make sure you're running the latest available OS version.
- Download and install a reputable, brand-name virus scanner. Make sure that it's up-to-date before proceeding.
- Reinstall your applications
Download and install all of your applications again. Where possible, get them from the App Store. Where that's not possible (e.g. Flash Player), download it directly from the vendor. If you got it from a torrent site, well, you might consider paying for it to ensure that it didn't come with "extras" that you might not want.
You can get Flash Player here:
- Take a snapshot of the machine
Now that you've got the machine mostly configured how you like it, and in a trustworthy state, this is a good time to make a baseline backup. If you end up with the infection again, you can confidently restore and save yourself a couple hours of work.
- Scan your old backups.
Ideally, your AntiVirus has something like "on-access scan", where it's scanning all of the files that you copy on the fly. It should be on by default, but it's worth a check. It's a good safeguard against copying over anything that's infected at this stage.
Attach your backup disk and scan it with your antivirus utility.
- Restore just your data files
Copy over only the actual data you need (documents, pictures, videos, etc.)
- Make sure Flash Player is enabled in your browser, if you want to use it. As the browsers make it more difficult to run Flash, you may have it installed, but need to enable it in the browser. This may cause some sites to tell you to install or update Flash.
The goal is to get you to a place where you're confident in just ignoring update notifications on websites.
That should get you back to a state where you can really trust the machine again.
Once you're there, then it's important to avoid future infections.
- Enable Automatic Updates for anything that processes untrusted data.
Namely, the Operating System, Anti Virus, browsers and Flash Player. It's critical that you're getting updates for the products consistently and quickly.
Attackers are very sophisticated, and we can measure the time between when a security patch is shipped to the public and when attackers have reverse-engineered the binary patch and start attacking unpatched clients with a weaponized exploit. It's generally measured in weeks or days, not months or years.
The bottom line is that Automatic updates are necessary in 2018. Just enable them. The inconvenience of the occasional functional problem pales in comparison to what you're going through currently.
- Don't follow links on websites or email to updates, and always download installers directly from the App Store or vendor.
Just don't follow links or pop-up notifications. It's easy to make legitimate-looking notifications. Be skeptical.
If you have automatic updates enabled and something tells you to update, your odds are high that it's bogus. Wherever possible, just download applications from your operating system's App Store. They'll handle updates.
If you really think you need an update, open a new window and google for the product. Make sure you're going to the developer's website and not to some random download site. Download any software directly from the vendor and install it there.
- (Optional) Use a browser with Flash Player Built-In
Both Google Chrome (for all operating systems) and IE and Edge on Win8 and higher include Flash Player as a built-in component of the browser. There's nothing separate to install or maintain. That means that you can really ignore anything that tells you to install or update Flash.
In those instances, Google Chrome and Windows Update ensure that Flash Player is always up-to-date. Also, if you really don't trust our distribution pipeline, those bits are vetted and distributed directly by the respective vendors.
- Stay away from sketchy sites
Nothing is free. If you're not paying, you're the product. When it's Facebook, they're selling your information. When it's something less reputable, they might be selling something like control over your computer. Nobody is compromising your machine for fun. They're getting paid.
- Get a password manager, rotate all of your passwords, and use two-factor authentication
If people are logging into your email and stuff, that password you're using has leaked. It's not uncommon for malware to install keystroke loggers to capture valuable information like your credentials. I think it's pretty safe to assume, given what you've been going through, that your credentials are all thoroughly compromised.
In the world of daily breach announcements, you really want a unique password for each site that you use, and wherever possible, you should enable two-factor authentication wherever possible.
Unique passwords limits the damage done by any individual breach. You don't want a password breach on that hobby forum to grant some guy in the Ukraine access to your bank account.
Two factor authentication ensures that even if a bad guy has your password, they also need control of your phone in order to do anything with it. You want this.
Also, don't use those credentials from any machine that you can't confidently trust. If your other machines have been compromised or keep getting compromised, limit your use of anything important to the one machine you do trust, until you can work through everything and get it all back to a trustworthy state.
If you want to get really fancy, you can always verify that an application has been digitally signed. On MacOS, you can also look to see where a file was downloaded from, by looking at the file File Info. Similar techniques exist for Windows as well. They're a little involved, and a quick google for "Validating code signatures for <insert operating system>" will probably serve you well. Personally, just enabling automatic updates is a whole lot easier.
This general advice holds true for your other machines as well. There's a reason that when we teach people how to compromise machines, we start them out on WinXP and Vista. If you have aging operating systems running on your network, it's a good time to give some serious thought to retiring them. Run a modern operating system, keep it patched, and if it's been infected, just burn the thing down and start from pristine sources.
In the event that you run into a malicious installer or installation dialog, we have a team that pursues action against those sites. If you can grab a screenshot and the full URL of the download or the update window, just shoot an email to firstname.lastname@example.org or email@example.com, and we'll be happy to pursue a takedown on those.
- Update the firmware on your router. Ideally, from a known-good computer.
Well I can say for sure I am not being tricked, it seems to automatically download it even if I destroy the folder so far it has been one full day. I have formatted my PC 3 times in the last 4 month's so, I do know that it seems to happen more when I Have MS updates.
I will have to check the firm ware on the router, that could be, but Cough we have Three router's all running into each other. I mean maybe that is the problem?we have had some people somehow getting into our WiFi and using it at night just by parking outside our house. so that is why we have Three of them., thogh that may actually be where the issue is. too many router's. could that be?
Here's the thing. Windows Update isn't sending you viruses. Neither is Adobe. Furthermore, the auto-update mechanisms employed by both companies use cryptographic checks at multiple places to ensure that nobody is substituting out auto-update payloads on the fly. They're heavily scrutinized. Also, correlation is not causation.
The bottom line is that it sounds like you have a big mess on your hands.
You've had a malware infection and one more more of your machines is compromised. What's worse, is that your machines regularly get reinfected.
That's not normal.
You're either not getting the infection cleaned up in the first place, or you're doing something to reinfect yourself repeatedly.
The fact that someone sitting on the street can get on your network seems problematic.
The fact that you have three routers isn't magically going to make your machines be infected with malware. If one or more of those routers is compromised, it may be able to redirect requests to sites that are malicious. This means that you might be encountering opportunities to infect yourself more frequently than the average person. If you're not keeping your machines patched, it's pretty easy to just park in front of your house and let a script run to scan for and infect everything vulnerable on the network. It doesn't even take skill.
You're either going to need to pay someone to come clean it all up, or you're going to have to get really serious and just take everything off the network, pick a machine, hook it directly to your cable modem or whatever, and get it into a known-good state. Once you have one trusted piece of hardware, then you get to go through every single thing, one at a time, and make sure it's clean and trusted before you stick it on a network with anything else.
If you don't go through the tedious, methodical process, there's no guarantee that you'll ever get it cleaned up.
There's also good reason to look at your habits. Cleaning things up and getting (and keeping) them current is a crucial first step. Keeping your network malware free comes down to all those little decisions where you have to choose between security and convenience/cost.
I have also experienced this on my Mac recently. I'm fairly tech savvy and don't know how I was redirected to this site, but nonetheless the fake update .dmg file was downloaded automatically. I deleted the file without mounting the disk image so I imagine that I am safe, but I wanted to put the website URL as well as the download URL out there so Adobe can possibly help get this taken down.
The website URL with the fake update notification: [link removed]
Here is a screen shot of the landing page with the bogus update notification:
Since I deleted the .dmg without mounting I imagine I am in the clear, but is there anything I should be concerned about on my end? Thanks!
It sounds like you did the right thing (noticing that the download was bogus and deleting it), and it's extremely unlikely that just downloading the file did any harm to the system.
The reason that this kind of approach is so prevalent is because the browsers, operating system and Flash Player have made it very difficult to take control of the system without your explicit permission (i.e. you need to enter your password to install software, etc.). It's far easier to trick someone into giving explicit permission to install malware than it is to silently install it.
Following best practices like running a reputable anti-virus program, and making sure that you have automatic updates enabled for the OS, browser and Flash Player is always wise, even on Mac.
Thank you for the help. I also sent the details along to the firstname.lastname@example.org email address as well. Everything seems just fine with the computer so far. Nothing was installed so I'm not too worried about it about it. The more worrisome thing is why I served the bogus ad on a new computer, on my home network. I get some random redirects at times on my mobile devices (via the cellular network) but never really on my home network. Kind of weird. Just wanted to add my two cents to this thread.
In general, it's usually an issue where an attacker managed to insert malicious code on the content provider's page. Examples would be things like sneaking a malicious banner ad on to an ad distribution network, or maybe figuring out how to insert code into the comments on a page, where they're actually allowed to get executed.
There's an interesting class of attack that targets home routers with a particular vulnerability, which allows attackers to store and execute code in the router's memory. This kind of vulnerability doesn't survive a reboot, so you could just unplug the router and plug it back in to temporarily solve the issue. Then you could just make sure that you have the latest firmware installed on your router to prevent future infection. Those kinds of vulnerabilities typically get used to insert similar fake update notifications into otherwise reputable webpages.
The important part here is that you just shouldn't trust links on webpages that tell you to update. If you think you need an update, go google for it and find an authoritative link from the software vendor (or use the app store, where applicable). If you set your stuff to update automatically (which we'd highly recommend), then you can be pretty confident that any update notifications should be ignored (for software that you've set to automatically update).
That's an Adobe link, but to a very specific download. It's taking you to the Flash Player variant for Firefox.
You can always go here from the browser you want to use Flash Player on and we'll serve you the right download or tell you that it's built-in, etc:
Hmm. I don’t use Firefox.
I use chrome and thought flash player updates automatically with chrome. Yes?
It does. Where are you getting that link from?
I keeps popping up on my computer. Maybe 1 x a week
There *is* a notification option for updates that would cause a dedicated window to open and encourage you to update. It's not the default option, and we don't recommend it -- specifically because bad actors target users through update notifications. Using a pop-up window in the web browser is usually the method perferred by bad actors, although modern browsers do a good job of restricting pop-up windows for the most part.
If you go to Control Panel > Flash Player > Updates and you see "Notify me to install updates" is selected, that would confirm that your system is configured to show those legitimate update dialogs. The link you shared was a real link, so that would make sense. If you primarily use Chrome, but you installed Flash Player for Firefox (or maybe for Adobe Acrobat) at some point, that would explain why you're getting the pop-up notification to update the NPAPI Flash Player variant.
Instead of trusting the pop-up, you can just initiate the update from the control panel by choosing "Install Now", which would allow you to avoid interacting with any pop-ups. The update screen will also enumerate a list of the Flash Player variants you have installed and their versions. We shipped an update yesterday, so the current version is 184.108.40.206.
I'd also highly recommend just setting that update preference to "Allow Adobe to install updates...", so that you're not wondering about whether your Flash Player is current, and/or if a pop-up dialog is legitimate.
Oh, the forums don't do email attachments. If you come back to the forums site, you can add them to the post through the UI.
A page automatically redirected to this fake Flash Update web page.
Go get 'em!
Thanks for the report. I've forwarded along to our Phishing team.
Got another one here, have had a few with drive by downloads but this one just prompted to download the "update"
LINK [link removed]
Thanks for posting the link. It's definitely fake. I'll forward to the fraud team for follow-up. In the future, feel free to report directly to email@example.com
Note: Adobe's North American offices are closed through January 1, 2019. Replies from staff members will be delayed.
If this "fake" flash update has been installed, what to do?
1 person found this helpful
The Flash might be perfectly fine, or not, but the fake will have installed all sorts of other things, from unwanted advertising to apps that steal your credit card and personal info, or threaten blackmail. Do not use the computer! Best to wipe the computer and start over. This will lose EVERYTHING on it, but if you have good backups you can use them. If this sounds too much for you seek professional advice on the computer now.
Constant problem in last few months. Tried all the recommended deletions, ended up messing up my Adobe DC installation. Final installed Adobe Flash from Adobe website, then a few minutes later got the message that I have lots of viruses. Hope adobe can do something about this, or Apple, it seems more frequent on Safari. I am going to try switching to firefox, see what happens. Here is the latest link that I just received
Dangerous link removed... Moderator
This is the ONLY link to Get Flash Player https://get.adobe.com/flashplayer
Please bear in mind that a fake update notification doesn't mean YOU are infected. It means the WEB SITE is infected. Ignore the message, and don't go to that site again.
This thread has gone circular, and I'm going to lock it.
If you've encountered a site offering fake Flash Player downloads, please send a screenshot and a fully copy of the URL(s) involved to firstname.lastname@example.org.
Our phishing team will follow up with appropriate actions on the website side of things. In general, it's better to avoid posting malicious links to the forums. We don't want anyone accidentally clicking them, and the more sophisticated delivery mechanisms engineer the URLs for one-time use (it's hard to serve a takedown notice if you can't show someone that the URL is delivering malware).
The US Federal Trade Commission has some good advice on avoiding malware in general:
Heres the advice that I typically share to people that were either tricked into installing malware, or are seeing fake update notifications, but haven't been lured into actually running those installers:
Unfortunately, because Flash Player is installed on billions of computers, it's a common target for impersonation for people distributing malware.
As an industry, we've done a pretty good job of defending against technical attacks that allow bad guys to install software without your authorization. In 2018, it's really difficult to do (assuming you're running a modern operating system and not something from 2005, in which case, you should get on that).
The result is that human factors are now the path of least resistance. It's easier to trick you into installing something on behalf of the attacker, vs. figuring out how to defeat all of the security stuff required to do it without your express permission.
In general, you're better off setting everything to update automatically. You can then go through life assuming that any update notifications you get are bogus. This is actually what we strongly recommend, and it generally applies to anything tasked with handing untrusted communication (the operating system, your web browser, flash player, etc.). The inconvenience of something functional breaking because of an update pales in comparison to the pain of recovering from identity theft.
Here are a few guidelines that will minimize your risk of getting tricked into installing malware:
- Wherever possible, use your operating system's App Store for downloading and updating software
- When software you want (like Flash Player) isn't available from the App Store for your operating system, always navigate directly to the vendor's website. If you need to search for the download, that's cool -- but avoid "download" sites, and find the vendor's actual download link
- Never download stuff from a link in an email or update dialog. Type it in. It's easy to disguise fake URLs in links using internationalized characters and things (e is not the same as è, but it might be really easy to miss if you're not looking closely). If it's a link from a URL shortener service like tinyurl.com/abcde or bit.ly/abcde, you don't know what the end result is going to be, and you're probably wise to just head to Google to find what you need instead.
- When the software offers automatic updates, just turn them on and stop worrying about maintaining all the moving parts running on your computer. The threat landscape is so much different than it was 10-15 years ago. Enable updates so that you're getting critical patches as soon as they become available. Be confident that any subsequent update notifications are probably fake, and act accordingly (either ignore them, or consult the vendor for guidance before doing anything).
For Flash Player specifically:
Always download Flash Player from here: https://get.adobe.com/flashplayer/
When you install, choose the default option of "Allow Adobe to Install Updates (recommended)", and we'll keep it updated for you.
Google Chrome ships Flash Player as a built-in component, and keeps it updated automatically. There's nothing separate to download, install or configure.
Microsoft Edge and Internet Explorer on Windows 8 and higher also include Flash Player as a built-in component of their browser, and updates are handled automatically through Windows Update. Again, as long as Windows Update is enabled, there's nothing to download or configure.
If you've actually installed malware on your machine:
There is a large universe of unknown unknowns, but the important thing to know is that malware authors at this point are professionals. They test against popular antivirus and cleanup tools. Good malware is going to first establish a foothold, but the second order of business would be to ensure resilience. If you've run cleanup tools and have removed the obvious visible signs of the malware infection, that may be adequate, but you're putting a lot of faith into the efficacy of those tools. In most situations, it's difficult to determine whether or not you've eradicated everything that was installed, and you should weigh those risks carefully. Without significants expertise, and/or an exhaustive and expensive forensic analysis, there are no guarantees.
If it were me, I'd probably back up all of the critical data on the machine and then burn the whole thing down and start from scratch (i.e. format the hard disk, reinstall the operating system and applications from pristine sources, install a reputable antivirus utility, scan my backups and then restore them. I'd then go buy a password manager like LastPass/OnePass/KeyPass/etc. and set about ensuring that I have unique, strong passwords for each of the important online services that I use (including any email services that could be used to reset those passwords), and set up two-factor authentication wherever it's offered.