This is malware. Firefox does not update using such a method.

• See Update Firefox to the latest release

Note there will shortly be a genuine upgrade to Firefox 48. Using a blocker such as ublock origin may help prevent such problems.

• https://addons.mozilla.org/firefox/addon/ublock-origin/

If you have downloaded and clicked on or run such malware please post back for further advice.

P.S. Please also see

• I found a fake Firefox update

thank you for getting back to me!! i have to admit this looked like the real deal and i was very tempted to click on it thinking that it was from mozilla-firefox. it even had the "firefox automatically sends some data to mozilla so that we can improve your experience." at the bottom of the page along with the "choose what i share" button. just sayin' it really looked legit other than the fact that it popped up up out of nowhere... thanks again!!

sylentdiva said

thank you for getting back to me!! i have to admit this looked like the real deal and i was very tempted to click on it thinking that it was from mozilla-firefox. it even had the "firefox automatically sends some data to mozilla so that we can improve your experience." at the bottom of the page along with the "choose what i share" button. just sayin' it really looked legit other than the fact that it popped up up out of nowhere... thanks again!!

You noticed the page in thinking it looked like it could be official yet the weird name of the yiomolibertyreserve url did not raise any red flags for you?.

Mozilla does not need to host anything updates/downloads for desktop Firefox related outside of a *.mozilla.org url.

Every one of these disposable Firefox patch scam sites have had a weird name. https://support.mozilla.org/en-US/forums/contributors/712056

How do we stop the pop-up? I've been canceling it, but it is still randomly popping up on my browser. I've searched my computer for the "firefox-patch.js" and I am not finding it. Trying to delete it.

This is normally something external.

Possibly the malverts involved are somehow able to fingerprint and target particular categories of victims, possibly partly in a manner not dissimilar from the way other adverts will be targeted at what are your perceived interests.

By using some sort of script or adblocker you probably reduce the chance of seeing these fake update requests.

• For instance ublock origin https://addons.mozilla.org/firefox/addon/ublock-origin

The problem with trying to block this thing is that it just changes to a new URL. The best that can be done is to keep causing the websites to be shut down, send the following info to abuse@trellian.com Date Time URL Image of the page with the download popup; I use a snipping tool to cut the relative section of the page and paste it into the email.

rdwray said

The problem with trying to block this thing is that it just changes to a new URL. The best that can be done is to keep causing the websites to be shut down, send the following info to abuse@trellian.com Date Time URL Image of the page with the download popup; I use a snipping tool to cut the relative section of the page and paste it into the email.

The sites are registered the day before and then only used for about a day anyways.

It looks like there should be a way to block with the page text because this is the only common thing, it always comes through with "Urgent Firefox update". They may change the text, but it would take a while for the "punk" to catch on.

I would still like to know how this is happening, what on my computer is letting the hacker overwrite another website?

FYI: I only get this scam splash screen when visiting conservative news Websites such as Fox news or Breitbart.

I get it random, sometimes weeks apart and sometimes two days in a row.

The timing of the fake Firefox updates is random, but it is always from visiting conservative news online.

stepan1 said

The timing of the fake Firefox updates is random, but it is always from visiting conservative news online.

Maybe for you, but not for me. The problem is with FF or it would not be happening; reputable websites do not spread malware. They keep thinking they are protecting against attacks with all the changes the make to FF but they don't seem to have a clue as to how these attacks are happening. FF has a bug...

rdwray said

stepan1 said

The timing of the fake Firefox updates is random, but it is always from visiting conservative news online.

Maybe for you, but not for me. The problem is with FF or it would not be happening; reputable websites do not spread malware. They keep thinking they are protecting against attacks with all the changes the make to FF but they don't seem to have a clue as to how these attacks are happening. FF has a bug...

• We are almost 100% certain this is not due to a Firefox bug.
• It may at least in part involve malware on your computer. It certainly increases the risk of you getting malware. Malware that could steal your data or money or both.
• We are also aware that these pages are malware that is undeniable.
• Where do you think they come form? You are getting them off the internet.

The fact that some people do not see these or see these and then get alerts or blocks is due to ad blockers and security software, without those you are at increased risk.

Reputable sites do sometimes get hacked. Many reputable sites do spread advert content. They may need to just to survive. How well are the details of those adverts and their complex scripting and nested redirects checked by the reputable company ? Lets say the I am fairly certain the Company will check they receive the revenue as and when expected, but do they have any incentive to spend - or as they see it waste - money on checking the adverts or whatever that the end user receives.

IE is the most open web browser on the market, so why doesn't this happen to it? For a piece of malware to get on my PC, I would have to download something that contained it or open a contaminated email. This did not start taking place until I installed FF 47 and now it does not matter if I rollback or not, it is still present.

If I did not have so many addons I would do a total removal of FF and start over just to prove my point. The biggest problem is cleaning out the registry.

I have seen people using older versions of Firefox on Windows like Firefox 45.0 (likely ESR) or 43.0.1 if they were using WinXP or Vista and did not update.

It has been elaborate enough that no Firefox user on Mac or Linux has reported a fake urgent Firefox update site yet.

Look even Google Chrome on Windows is getting a fake update page and served a fake patch file also. A longer running thread example. https://productforums.google.com/forum/m/#!topic/chrome/HcXgFFaO9WU

These malware Ads scams can be elaborate as there was one not long ago that was finally shut down. It basically targeted Windows users, and not just any but looked for those who had a oem system and other conditions to make it harder for security researchers to investigate it. http://www.theregister.co.uk/2016/07/28/adgholas_malvertising/

James said

I have seen people using older versions of Firefox on Windows like Firefox 45.0 (likely ESR) or 43.0.1 if they were using WinXP or Vista and did not update. It has been elaborate enough that no Firefox user on Mac or Linux has reported a fake urgent Firefox update site yet. Look even Google Chrome on Windows is getting a fake update page and served a fake patch file also. A longer running thread example. https://productforums.google.com/forum/m/#!topic/chrome/HcXgFFaO9WU These malware Ads scams can be elaborate as there was one not long ago that was finally shut down. It basically targeted Windows users, and not just any but looked for those who had a oem system and other conditions to make it harder for security researchers to investigate it. http://www.theregister.co.uk/2016/07/28/adgholas_malvertising/

I read both the articles and there does not seem to be a solution for the FF problem. I have had a couple of major malwares that took me up to a month to get rid of, but I don't see anything related to this problem and that is what makes me believe that FF (same a Goggle Chrome) has a bug that is being targeted - these seem to be the only browsers that are affected.