Here's a screen capture of the page.

Good eye spotting that fake "update"!!

Mozilla doesn't issue "patches" via .exe files for updates, and definitely not from a non-Mozilla domain.

If the future if you get something like that, use Help > Report Web Forgery... to report the phishing URL to get it added to the blocklist ASAP. https://www.google.com/safebrowsing/report_phish/

When you do that within Firefox the URL will be captured automatically and entered into that "form" page. Deal with the reCAPTCHA, add a comment (of you care to) and Submit it.

the-edmeister said

If the future if you get something like that, use Help > Report Web Forgery... to report the phishing URL to get it added to the blocklist ASAP. https://www.google.com/safebrowsing/report_phish/ When you do that within Firefox the URL will be captured automatically and entered into that "form" page. Deal with the reCAPTCHA, add a comment (of you care to) and Submit it.

Thanks, edmeister. That's a step in the right direction, but I was hoping to go one level deeper. There could be an infinite supply of virtual web servers with meaningless domain names used to host these fake patches. I want to know where the link is between the legit servers and the malicious servers. Simply reporting the URL of one malware host server is like taking a street-level dealer off the street--it slows the flow momentarily but doesn't stop anything.

Mozilla is in a very special position to track the source of links to sites hosting malware targeting Firefox. I've just discovered that Firefox's "View Page Info" shows the referrer. I'll be sure to check that next time. Hopefully it will show the URL of the offending script as opposed to the URL of the HTML content page.

You can also report at https://www.mozilla.org/legal/fraud-report/ as a distributing Firefox/malware. This url is on bottom of many mozilla.org pages.

You can also try to report at http://publicdomainregistry.com/report-abuse-2/ since they have been the Registrar for these spam sites and may not be aware of his misuse.

The person(s) behind this site has been registering the fake Firefox updates sites even only a day before they got reported on forum here.

For example https://www.scamadviser.com/check-website/ohxicfamilybuilder.org

Normally these fake Firefox Firefox update sites much like this one over the last few years have come and gone. This time around the individual(s) behind this scam has been more aggressive.

The image below shows a page from another site offering the same fake update. Firefox's Referring URL shows the same URL as the page, so that's not helpful.

I searched my cache folder at %USERPROFILE%\AppData\Local\Mozilla\Firefox\Profiles and found several files containing the domain name. It's hard to decode. Possibly all of these are files from the malware site rather than external references to it.

It would be helpful to have a log that showed, for every URL accessed, which bit of HTML or JS requested that URL. To be really useful, it would probably have to show the call stack.

Hi billvolt,

I see you're using Windows. Do you have any good trusted AV software on your PC? Which one? Could you please provide few links to the websites which redirect you to that fake update?

You didn't by chance download the exe file that page offered so that we can submit it to anti-virus vendors for analysis did you? I think that will be our best bet to fix this issue.

Tyler Downer said

You didn't by chance download the exe file that page offered so that we can submit it to anti-virus vendors for analysis did you? I think that will be our best bet to fix this issue.

Haven't downloaded it yet. That's a good suggestion, but it's not the best bet. The best bet is to counter this recurring problem with an all-of-the-above response. Yes, antimalware plays a part. Yes, reporting the every-changing URLs plays a part.

But also, Mozilla should play a part. Mozilla should play a part not only because the attacker is using Firefox's name as a means for social engineering. Mozilla should play a part because it has the unique ability to tell Firefox users how they are being directed to malware URLs.

Artem Polivanchuk said

Could you please provide few links to the websites which redirect you to that fake update?

Links are above in original post and image of follow-up post.

We are working on this, however this person is registering new URLs every day, and abandoning those which get reported. That means this isn't something Firefox itself can really block (we already have anti-phishing and malware protection) and we need to work with our anti-virus partners to block the actual exe.

Tyler Downer said

this isn't something Firefox itself can really block

You're correct. Mozilla can't block this. What Mozilla can do, however, is help to expose infected legitimate websites that are directing unsuspecting users to malware. All anti-malware software can do is keep up with yesterday's versions of infinitely- and constantly-changing variations of a malware doing the same malicious thing. Some users get infected before the new malware flavor is found. URL blacklists have the same limitation. They're always a step behind, so users will get infected from newly-established URLs.

These malware URLs are coming from sites apparently legitimate. Because neither the visitors nor the admins know these are infected, the infections are likely stay active forever, always pointing to another malware source.

Exposing the legitimate websites that are unknowingly spreading malware seems far more effective than playing keep-up with virus signatures and URL blacklists. Just saying...

billvolt сказав(-ла)

Links are above in original post and image of follow-up post.

Yes I have tried to check those links but they are not exist. Is that a direct link you were trying to visit? You mentioned about particular news website. So I'm asking about url to that website.

Artem Polivanchuk said

Yes I have tried to check those links but they are not exist. Is that a direct link you were trying to visit?

Correct. These malware hosts are perhaps short-lived.

You mentioned about particular news website. So I'm asking about url to that website.

I don't want to publicly name a news outlet as a malware vector without evidence that their own content was infected as opposed to externally-hosted advertising content.

Every day or two lately people are reporting a new site. The previous sites may not be reported after either because it was taken down or abandoned in a disposable fashion.

I started a thread on all of the sites I found reported so far in serving the fake Firefox patch/update .exe and to start discussion on what is cause and what can be done https://support.mozilla.org/en-US/forums/contributors/712056

Tyler Downer said

You didn't by chance download the exe file that page offered so that we can submit it to anti-virus vendors for analysis did you? I think that will be our best bet to fix this issue.

I have just downloaded the file. Where do you want it?

This came from a new URL: https://ooveefreelink.org/8981825690889/d2e0345e1176810a5e0b6db1806ec839.html

billvolt сказав(-ла)

I don't want to publicly name a news outlet as a malware vector without evidence that their own content was infected as opposed to externally-hosted advertising content.

So how do we have to check whether that website has a problem or it might be caused by your machine then?

All the links provided above are not exist and that's the case since those are fake websites.

billvolt сказав(-ла)

I have just downloaded the file. Where do you want it?

You can scan the file using https://www.virustotal.com/ and publish link to the results.

Artem Polivanchuk said

billvolt сказав(-ла)

I don't want to publicly name a news outlet as a malware vector without evidence that their own content was infected as opposed to externally-hosted advertising content.

So how do we have to check wether that website has a problem or it might be caused by your machine then?

The point I'm trying to make is that the Firefox software knows where it gets its links from. I am proposing that Mozilla either provide documentation of an existing feature that exposes a log of this, or that Mozilla adds a feature to provide such a log. This log would make it possible--when viewing a page that collects HTML, JS, and Flash files from multiple servers--to learn which of the files included the code that sent Firefox to the malware site.

I just sent you a PM with an e-mail to send the file to. Thanks!

As for your idea, I'm afraid that is both too complex to solve this issue, and something that can't be don quickly enough anyway. There are some logging tools in developer tools that would show these sorts of things, but they are far too complex for typical users.

Tyler Downer said

As for your idea, I'm afraid that is both too complex to solve this issue, and something that can't be don quickly enough anyway.

Within the narrowest scope of this issue (firefox-patch.exe), you're probably correct. If one takes a broader view, perhaps this is critical to actually tracking browser-downloaded malware to its source and countering its dissemination. If so, perhaps it's cheap and easy relative to the result.

Imagine if the millions of Firefox users could opt-in to reporting in real-time the sites that are sending them to blacklisted URLs. The blacklist could rapidly expand to include the bad actors lurking in the shadows of legitimate sites. This could take a big bite out of the Internet crime.

I understand that Mozilla doesn't have the market share it once had. Such an ambitious response might require the resources of Google or Microsoft.

Is there any chance you could just delete this thread for me? I need to talk to a patent attorney.

Thanks!