Malicious site exploits offline mode to force users to download fake antivirus tool

VERIFIED INVALID

Status

()

Firefox
Security
VERIFIED INVALID
10 years ago
7 years ago

People

(Reporter: carlp, Unassigned)

Tracking

3.0 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

firefox offline mode should not be adjustable by javascript on a web page.  

Right now lots of people are downloading from 
MALICIOUS SITE 
http://scan.powerantivirus2009.com/?aff=1539

described at 

http://www.2-spyware.com/remove-powerantivirus2009.html

and the reason they think they "need" to download the bogus software is that their browser "stops working" because it is in Offline mode.  

Very sneaky, and the browser should not have allowed itself to be put in offline mode.  

Reproducible: Always

Steps to Reproduce:
1.  Go to malicious ssite above.  
2.   Verify that browser is in offline mode.  
3.
Actual Results:  
offline mode 

Expected Results:  
Message
"do you really want to go to offline mode"  
or 
"malicious website detected."
It doesn't switch my Firefox 3.01 in Offline mode.
If you are in the offline mode, how would you be able to download software ?
I see only Javascript Alert with "your system is slower than usual....."
Component: Phishing Protection → Security
QA Contact: phishing.protection → firefox
I sent a note to google about this page.I hope they will include it in their safebrowsing/phishing database and Firefox as user of this Database will block it.
(Reporter)

Comment 3

10 years ago
Clarifiaction:   The browser went in "Offline Mode" just after the trojan payload file download had been completed and Firefox was asking (in my case) where to save it.   

Clearly it would not make much sense to make the browser offline BEFORE downloading the trojan.  

The browser also disappointed me by naming the file incorrectly IMO.   In the form I directed that it be named   "whatever.exe.off" instead of "whatever.exe" to guard against accidental execution.   But the browser redid the hazardous choice, saving the file as "whatever.exe.off.exe"   
We must be very careful not to save files as executables when the user doesn't expect it!  Dropping executables in the wrong directory can get them to be run automatically, soon or at reboot.   Never add a executable suffix without the users' knowledge!  I assume the MIME type was used to add the "correct" suffix, contradicting the suffix I chose.  

Comment 4

10 years ago
carlp, can you file a separate bug report about ".exe" being added at an inappropriate time?  You should be able to use https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/3.0/win32/en-US/ as a testcase.

Comment 5

8 years ago
(In reply to comment #1)
> It doesn't switch my Firefox 3.01 in Offline mode.
> If you are in the offline mode, how would you be able to download software ?
> I see only Javascript Alert with "your system is slower than usual....."

so this is INVALID?

Updated

7 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
Status: RESOLVED → VERIFIED
Version: unspecified → 3.0 Branch
You need to log in before you can comment on or make changes to this bug.