I received an "urgent Firefox Patch" notitification: is this legitimate?
Couldn't open original download ("Blocked Publisher" notification). This morning, I received a second notification from a different URL. Smells like a malware scam to me.
Réiteach roghnaithe
No it is not legit. The fake updates exe can install things like trojans, viruses or unwanted software based on past reports.
The desktop Firefox is not just for Windows as it is for Mac OSX and Linux also so .exe would not be an effective way to send out Firefox updates. The updates are done internally in Firefox with a .mar file or by download from mozilla.org like say www.mozilla.org/firefox/all/
Even if Mozilla were to use .exe for Firefox updates on Windows, they would be serving them from a *.mozilla.org url and not from random websites with weird names.
Read this answer in context 👍 574All Replies (15)
I have received at least 3 of these alerts lately. All of them were when I was on the ProBoards.com site. Naturally their support forum directs us to Mozilla support.
I can easily delete them but they sure would be convincing to some more naive internet users.
On 08/30/16 I got a web page that popped up in a tab looking like an official Firefox site stating "urgent Firefox update download now" with a URL of xxhttps://eumahdcamb.net/2632733329444/44b4e409973c5688676b84bb1xx (I added the "xx"). I hovered my mouse over the download button and it showed firefox_update.js from the same URL. If I go to that site now I get a blank page.
Note that it is https -secured site and firefox address bar showed the green padlock. "verified by comodo CA limited" So much for a secured site being safe . . . I called comodo support but because of hie accent I couldn't understand the tech so he asked me to send an email to comodo support - I sent them all of this.
The next day 08/31/16 I just got a small popup outside of any web page "Opening firefox-patch.js", "you have chosen to open: firefox-patch.js, which is JavaScript File (2.6kb) from: https://eumahdcamb.net, would you like to save this file?, Save file (button) and cancel (button)".
I decided to do a whois (https://whois.icann.org/en) on both domains.
Domain Name: EUMAHDCAMB.NET Registry Domain ID: 2056069997_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com Registrar URL: www.publicdomainregistry.com Updated Date: 2016-08-30T08:24:40Z Creation Date: 2016-08-30T08:24:39Z Registrar Registration Expiration Date: 2017-08-30T08:24:39Z Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com Registrar IANA ID: 303
I have the rest of the details but I omitted the rest of the info because I think it may have been either fake or someones ID that was stolen. I figured that it would all be gone by now (about 12 hours later) but at 12:14AM EST on 09/01/16 all the info is still there for that domain.
BTW, note the creation date - 08/30/16
for eumahdcamb.net there was no information. I am sure there would have been if I would have checked it the day before at the firs instance. But I assume the site was removed by ICANN or someone because of complaints.
Th th th that's all folks (Sylvester the cat if you don't know who that is you're to young LOL cartoon character - google it)
Update 09/09/16 1) 2 paragraphs above I meant to say that there was no information for "EEMEILEBEST.NET" (vs. eumahdcamb.net). -there is domain registrar information for EEMEILEBEST.NET now.
2) All the whois information for eumahdcamb.net has completely changed to another domain owner, country, etc..
3) Both EEMEILEBEST.NET and eumahdcamb.net are now what appears to be registered to the same owner in the Czech Republic. (see below). I also uploaded the screenshot of the first firefoxupdate.js instance I had on 08/30/16. It looks the same except for the domain in the URL. Both domains are on the website that was mentioned as fake: https://support.mozilla.org/en-US/forums/contributors/712056
4) I am not sure what all this means. Did someone hack the whois database or an upstream DNS server, etc.??? I am not going to worry about it anymore at this time unless I get another firefox (or whatever) update popup again.
5) I think as long as you don't click on the 'download' button; your safe . . . I THINK. I also did an AV scan with Symantec Endpoint Protection 12 (SEP 12) at both instances with nothing found - but no AV app catches everything.
The complete WHOIS listing owner of both of the domains mentioned in this post:
Raw WHOIS Record Domain Name: eumahdcamb.net Registry Domain ID: Registrar WHOIS Server: whois.regtons.com Registrar URL: http://regtons.com Updated Date: Creation Date: 2016-09-05T00:00:00Z Registrar Registration Expiration Date: 2017-09-05T00:00:00Z Registrar: GRANSY S.R.O D/B/A SUBREG.CZ Registrar IANA ID: 1505 Registrar Abuse Contact Email: abuse@regtons.com Registrar Abuse Contact Phone: +420.734463373 Reseller: Registry Registrant ID: PRIVACY_PROTECTION Registrant Name: Domain Admin Registrant Organization: Whois protection, this company does not own this domain name s.r.o. Registrant Street: Jaurisova 515/4 Registrant City: Praha 4 Registrant State/Province: Registrant Postal Code: 14000 Registrant Country: CZ Registrant Phone: +420.226517351 Registrant Phone Ext: Registrant Fax: +420.226517341 Registrant Fax Ext: Registrant Email: eumahdcamb.net@fablovkawhoisprotection.com Registry Admin ID: PRIVACY_PROTECTION Admin Name: Domain Admin Admin Organization: Whois protection, this company does not own this domain name s.r.o. Admin Street: Jaurisova 515/4 Admin City: Praha 4 Admin State/Province: Admin Postal Code: 14000 Admin Country: CZ Admin Phone: +420.226517351 Admin Phone Ext: Admin Fax: +420.226517341 Admin Fax Ext: Admin Email: eumahdcamb.net@fablovkawhoisprotection.com Registry Tech ID: PRIVACY_PROTECTION Tech Name: Domain Admin Tech Organization: Whois protection, this company does not own this domain name s.r.o. Tech Street: Jaurisova 515/4 Tech City: Praha 4 Tech State/Province: Tech Postal Code: 14000 Tech Country: CZ Tech Phone: +420.226517351 Tech Phone Ext: Tech Fax: +420.226517341 Tech Fax Ext: Tech Email: eumahdcamb.net@fablovkawhoisprotection.com Name Server: ns1.localhosty.com Name Server: ns2.localhosty.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2016-09-09T17:00:00Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
The Data in Gransy s.r.o. WHOIS database is provided by Gransy s.r.o. for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Gransy s.r.o. does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, fax (spam); or (2) enable high volume, automated, electronic processes that apply to Gransy s.r.o. (or its systems).
Gransy s.r.o. reserves the right to modify these terms at any time. Gransy s.r.o. reserves the right to terminate your access to the WHOIS database in its sole discretion for any violations by you of these terms of use. By submitting this query, you agree to abide by this policy.
Domain Name: eemeilebest.net Registry Domain ID: Registrar WHOIS Server: whois.regtons.com Registrar URL: http://regtons.com Updated Date: Creation Date: 2016-09-02T00:00:00Z Registrar Registration Expiration Date: 2017-09-02T00:00:00Z Registrar: GRANSY S.R.O D/B/A SUBREG.CZ Registrar IANA ID: 1505 Registrar Abuse Contact Email: abuse@regtons.com Registrar Abuse Contact Phone: +420.734463373 Reseller: Registry Registrant ID: PRIVACY_PROTECTION Registrant Name: Domain Admin Registrant Organization: Whois protection, this company does not own this domain name s.r.o. Registrant Street: Jaurisova 515/4 Registrant City: Praha 4 Registrant State/Province: Registrant Postal Code: 14000 Registrant Country: CZ Registrant Phone: +420.226517351 Registrant Phone Ext: Registrant Fax: +420.226517341 Registrant Fax Ext: Registrant Email: eemeilebest.net@fablovkawhoisprotection.com Registry Admin ID: PRIVACY_PROTECTION Admin Name: Domain Admin Admin Organization: Whois protection, this company does not own this domain name s.r.o. Admin Street: Jaurisova 515/4 Admin City: Praha 4 Admin State/Province: Admin Postal Code: 14000 Admin Country: CZ Admin Phone: +420.226517351 Admin Phone Ext: Admin Fax: +420.226517341 Admin Fax Ext: Admin Email: eemeilebest.net@fablovkawhoisprotection.com Registry Tech ID: PRIVACY_PROTECTION Tech Name: Domain Admin Tech Organization: Whois protection, this company does not own this domain name s.r.o. Tech Street: Jaurisova 515/4 Tech City: Praha 4 Tech State/Province: Tech Postal Code: 14000 Tech Country: CZ Tech Phone: +420.226517351 Tech Phone Ext: Tech Fax: +420.226517341 Tech Fax Ext: Tech Email: eemeilebest.net@fablovkawhoisprotection.com Name Server: ns1.localhosty.com Name Server: ns2.localhosty.com DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2016-09-09T18:00:00Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
The Data in Gransy s.r.o. WHOIS database is provided by Gransy s.r.o. for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. Gransy s.r.o. does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail, telephone, fax (spam); or (2) enable high volume, automated, electronic processes that apply to Gransy s.r.o. (or its systems).
Gransy s.r.o. reserves the right to modify these terms at any time. Gransy s.r.o. reserves the right to terminate your access to the WHOIS database in its sole discretion for any violations by you of these terms of use. By submitting this query, you agree to abide by this policy.
Athraithe ag Chemung ar
Chemung said
Th th th that's all folks (Sylvester the cat if you don't know who that is you're to young LOL cartoon character - google it)
Porky the Pig said "Th Th That's all folks"!
Sylvester the Cat key phrase was Sufferin Succotash! https://www.youtube.com/watch?v=PkhPuH8G5Hg
And who said "Bad old Puddy Cat"? https://www.youtube.com/watch?v=D9_iIoD1FN4
I was born in that last year of the first half of the last century.
Athraithe ag the-edmeister ar
ooops, You got me there. My bad. LOL
In my defense - it's 1AM here in Michigan and it's been a long day. . .
Well the rest of the info was pretty accurate . . .
Thanks! - and have a good one
Oh yeah, the quote. Wasn't that Tweedy Bird?
. . . wow, this is odd.
From the whois listing: Domain Name: EUMAHDCAMB.NET Registry Domain ID: 2056069997_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.publicdomainregistry.com (see screenshot of this website below) Registrar URL: www.publicdomainregistry.com . . . . .
I entered this URL: whois.publicdomainregistry.com and get this (attached)
Hi Chemung, the web whois is at
https://publicdomainregistry.com/whois/
I think the other host is for port 43 access, which doesn't use SSL. Firefox's implementation of HSTS sometimes forces HTTPS where it doesn't work.
Chemung said
BTW, note the creation date - 08/30/16 But I assume the site was removed by ICANN or someone because of complaints.
Nothing new for these sites to be created within a day of it getting reported here. They are disposable as nobody reports the site after a day period.
You can see the growing list of these disposable sites at https://support.mozilla.org/en-US/forums/contributors/712056
Many of these sites have been used to serve fake updates to Google Chrome users on Windows also.
I just got this same large full page pop up too. Here is the screenshot. What I thought is weird is that the URL has a ':https"; which is odd because when there is an "s" after the "http", that usually means some sort of security. And by no means is this pop up I just got real. It must be malware, though I did not open or click anywhere. I was on A regular website and clicked on a link within that site when this bogus firefox popped up. Do not open anything. Just close the page.
I scanned using malware bytes and nothing comes up with malware or anything, so I dont know which program to scan I should use next.
I just got one from here: https://ahwernaked-sluts.net/962841461558/8a6f8b23c6ddcd192fcdb6e1c0919808.html
jeanettefriedman said
Does anyone have the name of the file?
Yes, firefox_patch.js zohxibloggfamiljen.net
I got this 2 or 3 times. Didn't click Download. I saved it to file but didn't download. When I read this I erased the save I made to file. Glad I read this.
I foolishly (half asleep) received, downloaded and INSTALLED the urgent (fake) firefox update. It came for the site below, and I still have a copy of the .js file if someone can examine it and determine what it is and how to cleanse my machine of this. MY BAD!!! And thank you for any assistance.
https://geifiisango.net/410849213806/1476191156427735/firefox-patch.js
Hi pwgarcia, if your security software did not stop the process, it likely installed an infection into the Windows registry. Please use the free (or trial) version of Malwarebytes Anti-Malware to see whether that clears it.
https://www.malwarebytes.com/mwb-download/
That infection may operate independently or it may download other malware. There are numerous other cleaning tools listed in our support article, as well as links to specialized forums that can walk you through using advanced programs: Troubleshoot Firefox issues caused by malware.
James said
Yes this fake Firefox update .exe is not a new thing though normally it came and went. Recently it has been more aggressive as some users posted they got this from websites that was only registered a day or two earlier.
Yes it has I have NEVER seen this till about 2 weeks ago