This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Malicious attack on a page that looks like Firefox

more options

When I'm looking at a web page via Firefox, the page changes to what looks like a Firefox page with a notice in the middle saying I need an urgent update. I think the site I'm starting from is www.drudgereport.com. But it is a news headline aggregator, so it is covered with links. There are images associated with links, but most of the images are not visible until I turn Tracking Protection off for this instance. The page appears to change to the Firefox warning as I move my mouse, perhaps over a specific link. Norton identifies and blocks the attack: Malicious Exploit Kit Website 41. The Attacker URL is: https://haikohelp.org/81235951262145/150695774880976/firefox-patch.js

Norton notes that "The attack was resulted from C:\Program Files (x86)\Mozilla Firefox\firefox.exe" No further instructions are given. But I've had this event before. Has this attacker changed the firefox.exe file? Why does this event repeat? Is it connected to a specific website that I visit? Thanks for any help.

When I'm looking at a web page via Firefox, the page changes to what looks like a Firefox page with a notice in the middle saying I need an urgent update. I think the site I'm starting from is www.drudgereport.com. But it is a news headline aggregator, so it is covered with links. There are images associated with links, but most of the images are not visible until I turn Tracking Protection off for this instance. The page appears to change to the Firefox warning as I move my mouse, perhaps over a specific link. Norton identifies and blocks the attack: Malicious Exploit Kit Website 41. The Attacker URL is: https://haikohelp.org/81235951262145/150695774880976/firefox-patch.js Norton notes that "The attack was resulted from C:\Program Files (x86)\Mozilla Firefox\firefox.exe" No further instructions are given. But I've had this event before. Has this attacker changed the firefox.exe file? Why does this event repeat? Is it connected to a specific website that I visit? Thanks for any help.

All Replies (2)

more options

Those type of pages can show up anywhere.

. Whenever you get a message / popup that software / files need to be updated;

DO NOT USE ANY OF THE PROVIDED LINKS

While this may be a legitimate message, it could also be Malware or a Virus. Anytime you want or need to check for upgrades, go to the website of the True Owner of the program in question. For example, to check out Firefox, go to https://www.mozilla.org {web link}

You can report such a site at; Google Report Phishing Page {web link} which is the same when done while on site by going to Help > Report Web Forgery

Help us safeguard Mozilla’s trademarks by reporting misuse {web link}

For almost a year, an epidemic of Fake Update Notices have been popping up all over the place. https://support.mozilla.org/en-US/kb/forum-response-i-found-fake-firefox-update

more options

Kudos to Norton!

I've never seen this myself (due to minimizing the amount of ads I view), but moving the cursor over something may be triggering a script that navigates the page to the phishing/malware distribution site. If you never open the .js file or run the .exe file (as the case may be), you do not get infected.

The challenge is that these sites change addresses every day, so the built-in bad site blocker cannot keep up. You could consider using an ad-blocking extension to reduce your exposure. This one is highly regarded: https://addons.mozilla.org/firefox/addon/ublock-origin/ (but like Tracking Protection, you'll occasionally need to make some exceptions).