Around once a day a new tab opens in the background and automatically starts downloading some probably scam software disguised as a "flash player". I tried to fix it doing the things recommended online, but could not find the cause or prevent it from happening again.
It started or better I started noticing it, when I started using Safari after I upgraded my current installation to Mojave when it came out. Before I used Chrome.
Here what happened and what I tried:
- I checked my extensions. The only extensions I have in safari are: 1password, buffer, getpocket and todoist which are all as far as I know very reputable companies.
- I downloaded and ran malwarebytes which found nothing
- I made a full scan with Avast Business Antivirus* which found nothing
- I have no custom profiles installed, as there is no
Profilestab in mySystem Preferences - I am still using Chrome and did not experience anything similar.
It could be a malicious website or a malicious ad on a website. I did not check every time, but when I checked I only had tabs open to pages like stackoverflow, aws.com, jira and my server.
What else can I check?
This is one of the pages that is opened. Don't visit the page if you don't know what you are doing… http://flashupdate.f1g35qioffhthyu3b6wz.icu/fpud/index.htm?cbred=fs.344ephsyypn5bg4frlcyucn193vljeu.club&cep=vtZ7fu9RElRgsoKFM9_YSnk0SYRzD91E66GwQEGxKK8PvVwfWQZPKlMyMV9-nRmQrGXv8M8MtiF7ozOPKwuTrguO5_Nnkbd9uMN0n4ah0d0l02e0BubCt9iiqnH4-6eWep3ORE5Ap9jmrp8I8BlSuJPgxBvO-9t-wD-ApotpfUV3XThVu-oIWLO7E0yzVxHjrOSRK2fFIK0vmneesg4zO4d62E94G8lBx1DfiZWWUawzWn8R1KaNsd46zzT8G3_NoRDveloFgWdZZ9xqF5dl5fyrAUHEJwyQwIzVjwWeQ0SC0NDu5syuKaIRF2SGfwzgxTgQYCuS4a6u06iAvRK1DA&zone=1806371-363340319-0&lang=EN&cid=15396045451420581365032245711614177&time=1539604547&campaign=125927820&redirection_cost=0.03
* this is my old company notebook that I got when I left my old company.
[update]
Here is the contents of the library folders TJ Luoma recommended checking out.
ls ~/Library/LaunchAgents
com.adobe.AAM.Updater-1.0.plist
com.adobe.GC.Invoker-1.0.plist
com.dropbox.DropboxMacUpdate.agent.plist
com.valvesoftware.steamclean.plist
net.tunnelblick.tunnelblick.LaunchAtLogin.plist
org.virtualbox.vboxwebsrv.plist
ls /Library/LaunchAgents/
com.adobe.AAM.Updater-1.0.plist
com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a23d420d.plist
com.adobe.AdobeCreativeCloud.plist
com.adobe.GC.AGM.plist
com.adobe.GC.Invoker-1.0.plist
com.avast.userinit.plist
com.cisco.anyconnect.gui.plist
com.google.keystone.agent.plist
com.googlecode.munki.ManagedSoftwareCenter.plist
com.googlecode.munki.MunkiStatus.plist
com.googlecode.munki.managedsoftwareupdate-loginwindow.plist
com.malwarebytes.mbam.frontend.agent.plist
com.nvidia.CUDASoftwareUpdate.plist
jp.co.canon.CUPSSFP.BG.plist
org.macosforge.xquartz.startx.plist
ls /Library/LaunchDaemons/
com.adobe.ARMDC.Communicator.plist
com.adobe.ARMDC.SMJobBlessHelper.plist
com.adobe.adobeupdatedaemon.plist
com.adobe.agsservice.plist
com.avast.init.plist
com.avast.uninstall.plist
com.avast.update.plist
com.cisco.anyconnect.vpnagentd.plist
com.google.keystone.daemon.plist
com.googlecode.munki.logouthelper.plist
com.googlecode.munki.managedsoftwareupdate-check.plist
com.googlecode.munki.managedsoftwareupdate-install.plist
com.googlecode.munki.managedsoftwareupdate-manualcheck.plist
com.grahamgilbert.crypt.plist
com.malwarebytes.mbam.rtprotection.daemon.plist
com.malwarebytes.mbam.settings.daemon.plist
com.zenmate.charon-xpc.plist
net.tunnelblick.tunnelblick.tunnelblickd.plist
org.macosforge.xquartz.privileged_startx.plist
org.virtualbox.startup.plist
All seem legit to me. com.grahamgilbert.crypt.plist is from a tool the former IT department used to enforce encryption on the machines. (github link)
[update 2]
based on Geoff's question I also checked the "Automation" pane in "Security and Privacy" prefpane and the Safari pop-up settings, but both look innocent. The 10.101.101.23 is my local server running jupyter notebook.
"Unfortunately" there were no further pop ups. Maybe it were a series of malicious ads on one of the seemingly reputable sites I was using.
"Automation" pane in "Security and Privacy" prefpane
Safari pop-up settings
Best Answer
So, first of all, let's break this down. There seems to be four distinct issue here:
So, you're experiencing unwanted malware phishing popups, linking especially to that one you linked.
You're worried there is possibly malware on your machine already, causing these popups.
You think this may have to do with Safari as opposed to Chrome.
You're asking how to "debug" this.
So, lets break this down.
The particular link you cited is very interesting, because it is a very new malware variant. I went ahead and tested it, and all the signing certificates and SSL certificates used are still valid, and it successfully infects. The installer package was signed on Friday (four days ago), and by modification dates, it looks like the code for this was finished on the 15th. (I've now reported all of this to Apple and the various SSL certificate issuers and I expect all this will be revoked in the next 24 hours.) And, thankfully, a Malwarebytes scan successfully detected it as a variant, and caught it; it was able to clean everything.
So, if you've performed a recent Malwarebytes scan (in addition to the steps you've taken above), I'd say the chances you are infected are very, very unlikely.
So, given how new this particular piece of malware is, are you sure that this behavior does not also occur in Chrome? Because when I visit that link in Chrome, it "checks out" there too. For the time being.
So really, IMHO, it really comes down to the issue of popups. The thing is, Safari, by default, blocks all popups. Have you disabled this? Have you whitelisted certain sites to allow popups from them? Because that's the only way I can really think of why you would be getting popups at all, and you haven't mentioned anything about checking your Safari settings other than your extensions and plugins. However, it is also possible that some other application you have has been compromised; almost anything can execute something like:
But you would have had to have authorized it to control Safari. If you go to your Security and Privacy prefpane, what have you authorized under "Automation" to control Safari or System Events?