can you believe this phishing

[jcarter]

Its really a wild one, came in on a weather website my husband was looking at on his new iMac.

[Xairbusdriver]

Amazing amounts of computations to arrive at those numbers! And all at no "cost" to the user! Yeah, right... 

[Highmac]

I just opened up the MBP, logged in and that same message was on my screen. I had both Firefox and Safari running but that scam window was on top of a Safari page (BBC iPlayer website) - and looked just like the one Jane got. I just shut down the spoof window (red button) and quit and relaunched Safari. There's no (edit - obvious!) sign of it in the history of either browser.

Not surprisingly, all the numbers on it were identical to Jane's 

[jcarter]

I did the same, got rid of that window, quit Safari, and restarted it. Nothing today.
Wonder if anybody actually did click on that thing?
Sure hope nobody.

[Xairbusdriver]

I'm not sure it's coming from Safari in particular. I suspect Flash. If you ever see it again, Quit Safari before closing the window to see if Safari was even involved.

[Highmac]

Took another look at Jane’s screen grab and noticed the url at the top. It starts:

“mac-safety-check.com.hefjzkeo…” (lots more letters), then “index.php?browser=Safari&zo=US&app…”;

the rest cannot be seen.

So it seems likely that Safari has been hijacked/involved but I’d appreciate Jim’s views.

Just wish I’d stopped long enough to read the whole url on the one that popped up for me.

FYI: Safari 12.0.2, mid-2014 MBP Retina; High Sierra.

[jcarter]

I wish I had saved the rest of it in a screenshot, did look at it and it was very long.
Nothing like this has shown up either before or after.
Its my husband's new iMac, and it and Safari are running perfectly.
And nothing like this has shown up on any of our other Macs.

Very interesting, looking forward to you all figuring this out.

[jchuzi]

Go to System Preferences > Security & Privacy > Firewall and check your settings, including Firewall Options. You'll have to click the lock and enter your administrator password to unlock the Options button.

[jcarter]

I looked at this on my iMac, I dont have an admin password, so even tho I click the lock, I cant change anything on this one.
But Safari on his Mac is not listed in location services. Mine is, but never saw anything similar to this 'thing'.

[jcarter]

My husband got another one, and I think I got the entire URL. I used a screenshot.
He went to the same weather site, its not appeared on any other site.

[Xairbusdriver]

He went to the same weather site, its not appeared on any other site.

Ah! So it is only showing when you visit the 'hacked' site? As I was once told when I smashed my thumb with a hammer... "Don't do that!"  

[jcarter]

Did not visit it, just took a screen capture when I highlighted the URL, and quit Safari. Did not click on anything.

[jcarter]

I will post the screen capture here tomorrow if you want to see the entire thing.

[jcarter]

Here it is. Its a long one for sure.

[Xairbusdriver]

Only thing that looks interesting is the name of a dubious app called Mac Cleanup Pro (just after the "Safari&zo=US&" text. Every place you see "&" is usually a separator for a new piece of data. "%20" is the ASCII code for a space, which is not usable in most urls. Do a search for that name and you'll find all sorts of hits.

The normal way of getting this disgusting junkware is by visiting sites for free apps and fake updates. Several things you can do to see if you actually have the junkware installed:

• See if there is an extension with parts of that name in Safari Prefs
• Check you home/Library/LaunchAgents for any file with those three words.
• Also check your ~/Library/Application Support directory
• Obviously you can also look in your Applications folder

What you should never do is pay/buy/download any app named "Mac Cleanup Pro"! And, of course, practice "Safe Surfing"! Update only from Apple's Software Update and from trusted third-party dev sites. I don't recommend auto-updating any app or OS. Of course, you should also have an Admin password for your computer...