Fake Firefox update tab

[Kyowash]

A pop-up appeared out of the blue saying I required a manual installation:

fakeupdate.png

The web-page appeared in the system's language. It says I must install a mandatory update.
The URL wasn't obviously from Mozilla (don't open this): http://defenderblockerext.xyz/ff/?_subid=2fu23ah1a2lita9mcnsa&_token=uuid_2fu23ah1a2lita9mcnsa_2fu23ah1a2lita9mcnsa5a5fb21119a097.54630489

What should I do? I haven't installed of downloaded anything and thanks to noscript the site wasnt's viewed at all (though I had to temporarily allow scripts because I had no idea what was going on). How could I check if I was attacked or if there's anything wrong?

[Cosmo.]

Not following this "advice" was the only correct reaction. What you could do is to use the build in function to report the site: menu icon -> help icon -> report fraudulent sites.

As you did not say, which version of the browser you use nothing more can be said.

[BigEasy]

What should I do?

If you already know that is "Fake Firefox update tab" then what's question? There is only two possible choices:
1. Click on fake update and wait what happens when "fake update" finished .
2. Not to click fake update and close tab.

So, now is my turn to ask question: what decision is correct?

[thx-1138]

(though I had to temporarily allow scripts because I had no idea what was going on).

You should never ever turn scripting-on - even more when you stumble upon sites that you have no idea what's going on...

From a very quick'n'dirty check - it downloads & attempts to install:

hxxp://defenderblockerext.xyz/ff/ff_defender_blocker-7.1.1-an+fx.xpi

It also adds some tracking cookies (megarealext.biz), and verifies back it did so.
Current VT results for the .xpi:
https://www.virustotal.com/#/url/63f59a ... /detection
Which means AV failure for the time being - they'll probably add it to databases few days later...

I didn't bothered manually dl-ing and checking the .xpi further...

So, just in case:
1) Clear your .cache/mozilla/ folder...
2) Check your .mozilla folder for possibly unknown .xpi extensions...
3) Remove any possibly existing cookies from the aformentioned domains...

[Flemur]

Code: Select all

$ whois defenderblockerext.xyz
...
Registrant Street: PO box 87, REG.RU Protection Service
Registrant City: Moscow
Registrant State/Province:
Registrant Postal Code: 123007
Registrant Country: RU

[Joe2Shoe]

I installed ScriptSafe just to stop that malarky. Why don't those knuckleheads get a real job? They could make vodka or peel potatoes.

[thx-1138]

Why don't those knuckleheads get a real job?

Because they make more money this way...

They could make vodka or peel potatoes.

They could equally also make whiskey and prepare hamburgers, or serve tea & fish&chips, or drink ouzo & eat souvlaki...
The tracking cookie is served from California, and the site's ip address is located in London.

[DAMIEN1307]

there is a firefox extension that is causing this fake manual update to appear...it is hiding a cryptominer...DAMIEN

https://fossbytes.com/image-previwer-fi ... pto-miner/