MacInTouch Amazon link...

security questions and advice

Channels
Security, Questions

Ric Ford

MacInTouch
I’m afraid you could be right, Ric. No else seems to be having this problem. Both my iPad and Mac Pro are, but only at MacWorld? I thought it might be my local DNS server, so switched to Comcast’s, but it's still redirecting MacWorld.
If you haven't run Malwarebytes, that's the first thing I'd do.
 


Switched to OpenDNS, and I’m good...

I think? Tried Malwarebytes. It says my Mac Pro is clean, but can it really tell in a 6-second scan of a 1TB SSD?
 


MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
Check all your DNS settings - not just the server address, also the search domains.

I had a problem where my computer had some old domains in the search list (resulting from moving the computer between different employers). When one of those domains expired and got taken over by domain squatters, it started redirecting unqualified host addresses to malware sites.

I wrote an article about this back in November. It is describing Windows, but the same principle should apply to any computer.

 


MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
I'm having the same issue with macworld.com and at least one other site (astronomy.com). Switching to OpenDNS didn't help. I'm currently running a full-disk scan using ClamXAV.
 


MacWorld.com has been automatically redirecting to suspicious sites (“Adobe” updates, etc.) since last night. Don’t really know how to safely contact them.
I'm having the same issue with macworld.com and at least one other site (astronomy.com). Switching to OpenDNS didn't help. I'm currently running a full-disk scan using ClamXAV.
Odds are it’s malvertising, rather than anything on your Macs, that comes from a JavaScript embedded in an ad provided by third parties that MacWorld, etc. subscribe to.

The way only way to avoid those is with a good adblocker, which is something OpenDNS provides, although I'm not certain how effective it actually is.

And as David mentioned, you need to clear your DNS cache after switching to a new DNS, in order to prevent re-using what the old DNS provided.
 



Check all your DNS settings - not just the server address, also the search domains.

I had a problem where my computer had some old domains in the search list (resulting from moving the computer between different employers). When one of those domains expired and got taken over by domain squatters, it started redirecting unqualified host addresses to malware sites.

I wrote an article about this back in November. It is describing Windows, but the same principle should apply to any computer.

Thanks, David. I read your article and took what steps I could think of to address that. I disabled my local DNS server, redirected my router, and desktop to OpenDNS (temporarily?). Deleted every search engine bookmark I have. Cleared Safari history and quit. Used Onyx to clear the DNS cache and all other internet related caches. Rebooted. Those pages still redirect.

It really feels like those two sites are passing the bad URL's. They will both render the entire page before redirecting. This can mean major shuffling of the page by the time it is finished. Both pages have randomised ads that vary from visit to visit, which may explain why it doesn't always do it?

I can't find anything irregular about my system, except that Little Snitch's Network Monitor had put a nondescript notice that Safari had a "Resource or signature modified."
Taccy and spctl confirmed it. Mojave didn't seem to think it was worth mentioning?
 


Thanks, David. I read your article and took what steps I could think of to address that. I disabled my local DNS server, redirected my router, and desktop to OpenDNS (temporarily?). Deleted every search engine bookmark I have. Cleared Safari history and quit. Used Onyx to clear the DNS cache and all other internet related caches. Rebooted. Those pages still redirect.
Yuck. At this point, it looks like you're going to need to do some packet sniffing (e.g. with WireShark) to see what's happening under the covers.

A packet trace should show you what hostname is actually being sent to your DNS server, what IP address is being returned from the server, and what data is being fetched from that address. Depending on what you find, that should help you isolate the cause of the problem.
  • If the hostname is not what you expect, then you may have an issue with your browser or network configuration.
  • If the DNS server address is not what you expect, double-check network configurations. Also check browser settings (e.g. alternate "secure DNS" servers)
  • If the IP address you get back is wrong, then the DNS server or some proxy in between is corrupt
  • If the IP address is correct, look at the HTTP transaction (your web browser may have a debug mode to show this) to see if you're receiving any redirect pages and where they are coming from
Good luck.
 


Ric Ford

MacInTouch
I don't have a direct contact at MacWorld, but I've let them know via friends, and it does appear that they have a malvertising problem with ads on their website.
 


I don't have a direct contact at MacWorld, but I've let them know via friends, and it does appear that they have a malvertising problem with ads on their website.
I've been getting them for a couple of days, mostly at night. I have Bitdefender running full time, and a Malwareytes scan showed nothing. I've been using OpenDNS for years.
 


I've been getting them for a couple of days, mostly at night. I have Bitdefender running full time, and a Malwareytes scan showed nothing. I've been using OpenDNS for years.
Just an additional thought: I hardly ever click on ads in MacWorld. In fact, I usually use Reader View which eliminates most of the ads since they're exceptionally annoying continuously updating the text position in the screen. Sometimes I forget to put the browser (Safari) in Reader View. If I remember correctly, just running your mouse across an ad without clicking will sometime make them act like they've been clicked.
 


Odds are it’s malvertising, rather than anything on your Macs, that comes from a JavaScript embedded in an ad provided by third parties that MacWorld, etc. subscribe to.
The way only way to avoid those is with a good adblocker, which is something OpenDNS provides, although I'm not certain how effective it actually is.
And as David mentioned, you need to clear your DNS cache after switching to a new DNS, in order to prevent re-using what the old DNS provided.
Adware issue is likely it. Had same problem yesterday on my iMac 10,1 with Catalina via DosDude1’s patches. Kill ads—no issue. With ads—redirect to fake Flash sites. I don’t run flash at all.
 


Ric Ford

MacInTouch
Malvertising is apparently rampant now with trojan Flash – "New York Times, the Washingtonian, Scientific American" and many more besides Macworld. Beware.

(Multi-layered security systems apparently blocked these on my Mac, and I hadn't seen the problem.)
 


I don't have a direct contact at MacWorld, but I've let them know via friends, and it does appear that they have a malvertising problem with ads on their website.
Thanks, Ric. Good to know I'm not completely crazy. We all have enough other agitations right now.
 




I am involved with a small team (60 persons) who seem ambivalent about using Bcc: (blind carbon copy) for group emails.

Am I correct in believing that failure to use Bcc: when appropriate is still a security risk? Most information on the web seems well out of date. What are the security risks today?

I would appreciate is someone can point me to definitive and up to date information. Thanks in advance.
 


Ric Ford

MacInTouch
Ric, would you be willing to share the details of these installed / implemented security systems?
They may be more labor-intensive than most folks would like, but NoScript and LittleSnitch are very useful, and I bypass the ISP's DNS, among other things. Firefox offers some Content Blocking options (including "Strict") which may be helpful, though I'm not sure exactly what blocked the malvertising for me (and now I have to go alert folks I directly support about the problem).

Frequent, rotated backups are a necessity, and I'm sure other folks can offer additional suggestions, too.
 


I am involved with a small team (60 persons) who seem ambivalent about using Bcc: (blind carbon copy) for group emails.

Am I correct in believing that failure to use Bcc: when appropriate is still a security risk? Most information on the web seems well out of date. What are the security risks today?
The security risk, then and now, is that everybody on the list can see everybody else's e-mail addresses.

If someone on the list wants to be malicious, he can use the data to get a list of known-good addresses, the users' real names, and the fact that they (probably) have some relationship to each other. When correlated with other such address lists, it can be used for phishing purposes (e.g. to send someone mail that appears to some from a friend or coworker).

In your particular case, if it's a closed list and everybody already knows each other, then it probably doesn't matter much.
 


I am involved with a small team (60 persons) who seem ambivalent about using Bcc: (blind carbon copy) for group emails.

Am I correct in believing that failure to use Bcc: when appropriate is still a security risk? Most information on the web seems well out of date. What are the security risks today?

I would appreciate is someone can point me to definitive and up to date information. Thanks in advance.
Yes. According to one authority* with decades of experience supporting security and system configurations, failure to use Bcc: for mailing to a distribution list is
  • Discourteous, as it potentially discloses what is desired to be 'private'
  • Potentially a privacy policy breach, as it potentially discloses what is mandated to be 'private'
  • A security breach in that it effectively publishes to the world data that is easily captured for exploitation, even by the most inept malefactor
Penalties for such behavior are possible, depending on your environment, and can range in severity from mild reproof to termination.

*Yes, me.
 


As a digital subscriber to one of the big-name papers, while I have not experienced any direct navigational re-direct to Flash installers, on occasion I have experienced a fraudulent re-direct after clicking an actual article headline.

I also have long been a bit concerned about the paper's choice in advertising clients (vendors?) The paper's web pages are inundated not only with ad choices based upon their glean of my interests, but their pages are replete with click-bait, and in my humble opinion, deceptive or fraudulent products and articles on the order of the proverbial snake-oil.
Some of these click-bait links do ultimately engage in the fake Flash deception.
Yah, I clicked a couple... bad me!

I understand the need for these papers to rely on advertising, but can't they garner legit
underwriting? It's not only annoying but a bit embarrassing.
 


Ric Ford

MacInTouch
As a digital subscriber to one of the big-name papers, while I have not experienced any direct navigational re-direct to Flash installers, on occasion I have experienced a fraudulent re-direct after clicking an actual article headline. I also have long been a bit concerned about the paper's choice in advertising clients (vendors?) The paper's web pages are inundated not only with ad choices based upon their glean of my interests, but their pages are replete with click-bait, and in my humble opinion, deceptive or fraudulent products and articles on the order of the proverbial snake-oil.
Some of these click-bait links do ultimately engage in the fake Flash deception.
Yah, I clicked a couple... bad me! I understand the need for these papers to rely on advertising, but can't they garner legit
underwriting? It's not only annoying but a bit embarrassing.
MacInTouch was funded by web advertising in the beginning - a very long time ago in the early days of the Web (late 1990's). We took text and graphic ads directly from the advertisers. When Flash entered the picture, and advertisers demanded that Flash ads be run, I refused, because I could not vet Flash ads for security problems while Flash ads ran unknown code on the website visitor's computer. We took a major financial hit.

Later I started running Google ads, which brought in thousands of dollars, but when Google started putting offensive and misleading political ads on my website in the midst of a critical presidential election, I immediately terminated the Google ads and took yet another financial hit.

Now, ads are mostly delivered through "ad network" platforms (like Google AdSense) where third parties pay to deliver mixed media and code into the computers of people visiting a publisher's websites, and "malvertising" has run amok.

We get constant solicitations to host advertising and place third-party content on MacInTouch, which I refuse to do.

MacInTouch is now funded only by direct contributions from people who derive benefit from its content and support services and by small commissions on Amazon purchases through our affiliate links that become worthwhile only at scale (which we've gotten solely from the US, as non-US experiments actually have been a net loss).
 


I understand the need for these papers to rely on advertising, but can't they garner legit
underwriting? It's not only annoying but a bit embarrassing.
I suspect that a lot of media outlets don't actually run their own web advertising, but instead use a third-party company to supply ads. These companies probably don't look too closely at who is buying the ads, since everybody's money is just as green. And when they end up serving malware, well, the site actually posting the ads is going to get the blame, not the ad network company.
 


One thing you can do with Little Snitch is block some of the ad network domains, e.g., taboola.com. I’ve found that it helps.
 



Ric Ford

MacInTouch
Use of ad blocking software also gets the job done, at least for content you access via a web browser.
Firefox offers built-in content blocking options:
Mozilla said:
Content blocking | Firefox Help
Content blocking is a collection of Firefox privacy features that protect you from threats and annoyances on the Web. This includes protections against trackers, which collect your browsing data across multiple websites. Starting with Firefox version 67, you can block harmful scripts including cryptominers and fingerprinters.
Apple also offers some ad-blocking possibilities in Safari:
Apple Support said:
Change Websites preferences in Safari on Mac

Content Blockers
  • On: Stop ads and other unwanted content from appearing on the site.
  • Off: Don’t block ads and other unwanted content on the site.
Apple Support said:
Clear the history and cookies from Safari on your iPhone, iPad, or iPod touch

Content blockers are third-party apps and extensions that let Safari block cookies, images, resources, pop-ups, and other content.

Here's how to get a content blocker:
  1. Download a content blocking app from the App Store.
  2. Tap Settings > Safari > Content Blockers, then set up the extensions that you want. You can use more than one content blocker.
 


I typically access bank accounts and credit cards on my laptop. However, the banks have become very aggressive at promoting their phone apps, which I have refused to download for many years. I'm beginning to change my mind but wonder how safe and secure these apps are now. (And, yes, I do have a fingerprint and long security number on my phone.)
 



Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts