Chrome browser THREAT - Clicking a page in Distrowatch

[Clarity]

Using Chrome browser, I have a suspicious message. URL it came from is https://24.push-defenders.com/2105-security-nblocked-desktop-addon-us/?to=2105-security-nblocked-desktop-addon-us&campid=a2d79b78-8c12-4420-a858-f2008abdc91b&utm_source=RCP&landerid=b082b3e9-6657-4b76-976e-63a3aad1065c&browser=Chrome&bv=Chrome%20100&lander=1305-intermediary-lander%20-%20%5BMSF%5D&pccid=d7s6da1lnfum9dlf2vujrn3i&phone_brand=Desktop&model=Desktop&zone_id=9d2e0377a969b1246e67eac8afd607b9&supply_id=1833&camp_id=5a87b9507dd15597d60180326d45e4d7&source=pixel&ua=&creative=&ip=66.61.66.0&pathid=2ce87429-21b3-5759-a0ec-a99bd747d322&brand=av&lang=en&geo=us-push-desktop

The page shows

Code: Select all

WARNING! Your Chrome is severely damaged by 13 Malware!

We have detected that your Chrome is (62%) DAMAGED by Tor.Jack Malware. Malicious and Aggressive Ads have injected this on your device.
Immediate Action is required to Remove and Prevent it from spreading that will leak sensitive data from your device. It includes your Social Media Accounts, Messages, Images, Passwords, and Important Data.

Here is how you can solve this easily in just a few seconds.

with a "Clean My Device" button below the message portion

Anyone else seen anything similar?

I am using the latest Chrome Version 100.0.4896.127 (Official Build) (64-bit)

[Keef]

See here:

https://malwaretips.com/blogs/remove-yo ... ware-scam/

[Clarity]

@Keef, good reference.

Today when opening my browser on my PUP, I received these immediate notifications.

Virus Notifications.jpg (11.94 KiB) Viewed 660 times

I believe that the messages are related to a Win rebuild on an occasional use PC that I did couple weeks back. In that rebuild, the McAfee license is EXPIRED. And warning notifications resulted on each Win restart. On my last use of that PC, I updated and added EDGE & Chrome ... syncing each.

So, guessing, that (McAfee) is the reasons for these notifications bleeding across OSes when Chrome is started/restarted.

I have NOT acted on any of these pop-ups...merely discarding them when seen within a browser window or as a pop-up notification.

[mikewalsh]

@Clarity :-

Almost certainly it's a result of syncing your Google a/c to a Windoze 'puter with expired AV. If you can get rid of the offending items without hassle, then ignore it.

The Google a/c 'sync' mechanism is a very useful thing to have. It does, however, have a few downsides. This IS one of them.

Mike.

[Clarity]

+1 to both of you; @Keef and @mikewalsh.

This issue is one that presents an interesting review; Browser Hijacking in Puppy LInux.

• On Windows, Browser hijacking could result not just in a browser compromise, but also a system level compromise.

• In MAC or Linux, the threat-level will usually manifest in just the browser, although there also is a potential of going beyond into your system if WINE is installed.

Now, the problem surfaces to trying to come up with an effective removal process

I am at a loss in the various readings found, as most address the Windows/MAC side, but Linux instructions are missing.

Something thoughtful will need to be crafted.

[geo_c]

there also is a potential of going beyond into your system if WINE is installed.[/list]
Something thoughtful will need to be crafted.

I use a wine portable build when I use it, so that may be added security in that if I don't use browsers and wine simultaneously the threat is more limited.

[mikewalsh]

@geo_c / @Clarity :-

This is one of those long-running "told ya so's" that's been circulating for as long as WINE has been in existence. More often than not promulgated by those who are anti-Windoze (though NOT always), most adherents believe in keeping Linux as 'Linux-only', and are convinced WINE is tantamount to having malware installed inside your distro.

The simple fact that every WINE 'prefix' effectively sandboxes its contents flies completely over their heads....because it doesn't make for a good argument. I do, however, agree with the overall stance; that of keeping Windows & Linux separated as much as you can.....preferably, on completely different machines.

That said, I've used WINE for as long as I've run Linux - primarily for one, specific Windows-only graphics editor, for which I've never found an equivalent on this side of the 'fence' - and in almost a decade, WINE has never given me the slightest cause for concern, security-wise. (Given my use-case, I refuse to buy another machine simply to run one, single app; what, and put myself through all that crap again.....after dumping it almost a decade ago?)

Nah. I don't think so.

Mike.

[Clarity]

Hi @mikewalsh Thanks for your positional comment.

For a clearer statement, I dont run WiNE. I only reported some things found about how the problem I report could manifest to impact in a system.

I also shared, how, I am certain this problem started.

I am curious if I am misunderstanding your comment. Is there something there that suggest a migating solution to the pop-ups that are occurring?

If so, please make it a little simpler to help me see.

Thanks to everyone trying to help toward a resolution to stop the notifications. I am currently looking to stop all notifications and if there is a way to isolate which is cause of the issue.

P.S. My system is NOT compromised by this hijack attempt: Just the notifications are annoying.

[mikewalsh]

@Clarity :-

In the browser; go into the Chrome menu (those three vertical dots, top right-hand corner.)

Settings->Privacy & Security->Site Settings->Notifications.

Check what you have the 'Default Behaviour' set to. You CAN turn notifications off completely, though it runs the risk of breaking certain site functionality if you do this.

Mike.

[Clarity]

Preliminary Resolution to this problem
Since PUPs and DOGs are NOT compromised, I entered the settings as mentioned. There, I found one questionable site. My steps, in the order that I took to insure I remove every possible hidings:

1. Block ALL notification settings for that site

2. Remove data registered to the site via the button

3. Remove the site from the settings area

4. Clear cache and cookies

Will observe and report if this does not work.