cancel
Showing results for 
Search instead for 
Did you mean: 
steve7
Level 10
Report Inappropriate Content
Message 11 of 17

Re: Authentication Warnings

You're right, the refersh did not work, I got it again.

I'm confused about this VPP.   Is it just a "pledge?"  I was told a McAfee tech would run the "VPP tool," similar to Malwarebytes and Adaware, to remove whatever it is that's allowing these "warnings."

And again, this is only happening in Yahoo.   They should be told so they can look into it.   I'd to it myself, but it's impossible to reach a human being there.

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 12 of 17

Re: Authentication Warnings

Sorry, there's lots of email traffic today, I got sidelined.

What you probably got was a Level 1 tech support person, not understanding very much more than the workings of the product. VPP, forsooth. It's not a thing, it's just a pledge that IF what you've got is a virus (meaning malware but probably excluding adware or PUPs) then someone will clear it off your system using programs from the toolset.

As for trying to find a real human being at Yahoo (or Mozilla) who will listen to what you're saying and respond in language you can understand then you might be lucky, but prepare to be disappointed. And even then, you'll be lucky indeed to get one who will take on the responsibility of assuming ownership of your issue and try to do something about it ... it's just a fact of modern corporate life. No-one has the time, or the motivation, to go the extra mile.

Someone here, or on one of the other company forums, is your best bet; but as for letting people know about an issue like this, especially outside McAfee, there's probably not much we can do either.

Still investigating the background to this ...

steve7
Level 10
Report Inappropriate Content
Message 13 of 17

Re: Authentication Warnings

Actually, it's not that I want Yahoo to listen to me,  I just wanted to contact them to let them know about this so they can look into it.   Who wants these things hitting their web site?   And these actually take people away from Yahoo.  So you'd think Yahoo would be concerned about it.

If it's just Yahoo now, it could be additional sites later.  And who knows?  Maybe they grow into into something more then just a scam.   

These things need to be addresed before it gets to that point.  

And I figured A/V Security companies like McAfee would have lines into the Tech Departments of major web sites.  

It's only a darn phone call that would be giving them a "heads up."  

 

steve7
Level 10
Report Inappropriate Content
Message 14 of 17

Re: Authentication Warnings

Here's the "warning" with the red screen.  This is the one that has audio, a male voice talking.

Screen Warning 3.jpg

 

 

Highlighted
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 15 of 17

Re: Authentication Warnings

Okay, I've done the investigation and probably got far more than you were looking for. Ignore what's irrelevant, there may be some useful nuggets amongst the verbiage.

The scam attack you're seeing has been reported many times. Amazingly, it seems to be well-known by a host of dodgy fix-your-PC sites, I wonder how they came to know about it ...

Ignoring those sites, there are reports on Microsoft, Yahoo, BleepingComputer, Malwarebytes. These reports contain one or more of the fake error messages, phone numbers, and the URL you mentioned. What is of interest is that in these reports, where several people often chip in, someone always says that it happens while a Yahoo web page is on screen. It's coming from Yahoo, although the attack vector is not limited to their site : it's our old friend poisoned advertisements coming into the web page at load time thanks to the hidden ecosystem of real-time ad-space auctions. Basically, Yahoo have open slots for adverts on their pages, and when the page loads there's a bidding war for the right to use those slots. No checking takes place, and while McAfee's WebAdvisor does sometimes detect and block bad content very often all it sees is javascript, and maybe a call to an external site to load material. If the scammers are clever, and careful, they can slip their evil wares past most of the security products. I've seen complaints about Norton, McAfee, and Microsoft failing to stop this. It happens on sites all over the place, including some highly-trusted ones, but advert-heavy media websites and portals like Yahoo are particularly likely to be hit.

The warning screens you see, and the audio message (just another file, nothing special) can be downloaded in a second and triggered immediately or after an interval. McAfee sees nothing out of the ordinary, just web page content doing its stuff. No files are being  tampered with, it's not acting like malware. This is the new scareware.

Reports (phone numbers) :
https://findwhocallsyou.com/8772699094?CallerInfo
https://stopcaller.net/8772699094
https://1-800-database.com/phone/877-269-9094
http://spyoncaller.net/8772699094
https://social.technet.microsoft.com/Forums/windows/en-US/4afc50fe-277c-4da8-b363-2975129b6510/looki...


Reports (fake messages) and removal guides :
https://www.bleepingcomputer.com/virus-removal/remove-rdn-yahlover.worm-055BCCAC9FEC-infection-popup
https://malwaretips.com/blogs/remove-rdn-yahlover-worm055bccac9fec/

- These removal guides have other cleaning recommendations apart from the usual Malwarebytes/AdwCleaner combo. If you find the screens and messages are returning even if you don't go to Yahoo, follow their advice for thorough cleaning. And my own advice is to use a good ad-blocker, and possibly Ghostery as well. Stop the ads before they can pollute the web page - I watched Yahoo trying to load no fewer than 33 advertisements on their Finance page. Some, to my dismay, were let through by AdBlock as "allowed advertising". Ghostery stopped some of those. 

iframe on yahoo.PNG

 

 

 

 Ghostery.PNG

 

 

Now, that URL - "https://adverrd.global.ssl.fastly.net/?rsid=15a58d2badc868". That's been reported as well The bad part is what comes after the "?" - just checking for "adverrd.global.ssl.fastly.net" doesn't find anything much to object to. This URL string - and close variants - has been reported on the Yahoo forums. You may not be surprised to learn that their forum police kept excising details from the posts that were necessary for understanding the problem but which broke some forum rule or other. You will undoubtedly also be not surprised to learn that when a couple of hardy souls managed to report the problem to Yahoo what they got back was an answer which basically said, a) this can't possibly be anything to do with Yahoo, oh no, absolutely not; and b) it's a problem with your PC, you must have got it from somewhere else. At least one poster specifically pointed to Yahoo's third-party advertising policy, and this was deflected with the assertion that it couldn't be Yahoo's adverts misbehaving, it must be Google's. And indeed the Yahoo page I was monitoring was bringing in adverts from Google DoubleClick. But in the way of these things, any poisoned advertising tends to be deliberately random and intermittent to make detection more difficult. It might, heaven forbid, even be Google at fault after all.

Reports :
https://forums.yahoo.net/t5/Other-products/Fake-Microsoft-Security-Alerts-pop-ups/td-p/412461
https://forums.yahoo.net/t5/Help-with-Fantasy-Football/Constantly-getting-redirected-to-https-s-yimg...

https://www.bleepingcomputer.com/forums/t/666471/when-i-click-on-yahoo/
https://forums.malwarebytes.com/topic/216709-ominous-screen-showed-in-chrome/


Your main point about all this is that the content provider - Yahoo, you can be 100% certain - ought to take more care to stop these, well, they're not infections exactly, they're interferences. They could, but it would mean them being a lot more stringent with checking the third-party content that poisons their iframes, and that would cost them money and might deter their advertising content providers from bidding for their free slots. Money. Bottom line. All else is secondary, and inconvenienced consumers of their rotten product just have to lump it and not make a fuss. Not an attitude I have much time for, because as you say this will inevitably drive people away from using Yahoo. And serve them right if that happens. They must though have calculated that losing x% of their user base over y years is an acceptable price to pay to please their advertisers.

And the other point you made is that someone at McAfee could get on the phone and tell someone at Yahoo that there's a problem on their web pages. Well, they could, but what's the point? Everyone at both companies knows this sort of thing is going on, but no-one is going to tackle the underlying problem of sorting out the mess that is the real-time ad-bidding marketplace. So it's left to a few dogged campaigners to keep this issue from being buried in a sea of indifference, and good luck to them.

There. Too much information, I said. Can't say I didn't warn you Smiley Happy

steve7
Level 10
Report Inappropriate Content
Message 16 of 17

Re: Authentication Warnings

Hayton, well done. Very good detective work. 

I checked some of that anti-spyware software and some look tricky, dealing with registry etc.  Rather not deal with that.  And I also read some so-so reviews.   

Also, since this has to do with legitimate ads being hijacked by these "warnings," it's certainly possible that you don't have to have maleware or spyware on your computer for you to get this.  Your computer can be clean, but still be hit with them.  And even if something is there, there's no guarentee any of that software would be any different from what I'm using now.   So I'll stick with Adwcleaner and Malwarebytes  for now.

In regard to Yahoo not caring if they lost an "acceptable" number of users because of this, maybe they would care if advertisers leave once they realize their ads are being hijacked. 

FWIW, I haven't recieved a "warning" in the last couple of days.  But January was relativetly slow and it's different day to day.    However, while in Yahoo, I did get a McAfee "Whoa..you sure you want to go there?" screen, so maybe it picked up one of them.

Thanks for the help.

 

 

 

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 17 of 17

Re: Authentication Warnings

My pleasure.

It is just over one hundred years since Arthur Conan Doyle published his last Sherlock Holmes story, His Last Bow.

This little investigation - I enjoyed doing it - is likely to be mine. I hope you found it useful.