Possible Phishing Attack This Morning

WetGeek

I don't use Firefox, but I also don't delete it from my installations, in case I ever want/need a second browser for some reason. And although I'd changed the default browser on my Xfce laptop to Vivaldi, it's possible that the change wasn't in effect for Thunderbird yet, because when I clicked on a routine email that contained links to news articles (all expected) Thunderbird launched Firefox instead of Vivaldi, and that when the problems started.

Several windows were opened, purportedly from Macafee, telling me that there are 5 Linux viruses on my system, and I needed to subscribe to Macafee right away to get rid of them. Naturally, I didn't click to subscribe, didn't provide any credit card information, or anything like that, and I used eopkg to remove Firefox, deleted three messages with a spurious "from" address from my inbox, and I'm pretty sure that laptop is cleaned up now.

But in the process, it emptied my inbox history. I use IMAP email, so those messages were deleted from the email server, and I won't see them again. Fortunately, the phishing scheme didn't know about all the other folders that my incoming emails are automatically moved to by inbox rules. So none of those were affected. What was in my inbox were just emails that aren't important to copy to another folder, so it's no big deal.

I was hesitant to send this message, because I don't want to alarm a bunch of Firefox users here, but I also don't want to see a lot of you getting your inboxes (Thunderbird) cleaned out by such a scheme. I'm not sure what to tell you to look out for, because the email I clicked on was an innocent one from a source I get news articles from every morning. I clicked on one of those articles, causing Thunderbird to launch Firefox, and that's when the trouble started. So I didn't see it as an email from Macafee, or I would have been suspicious, and would not have opened it.

About all I can suggest is that you're very careful clicking on any link that might cause Firefox to be launched. If anyone has further advice or you've been hit by this thing, let us know. As I said, I've removed Firefox from my Xfce laptop, and checked to be sure that Thunderbird is properly launching Vivaldi now, but for now, that's about all I can tell you.

BTO

WetGeek
after deinstallation firefox:
did you also manually delete the /.mozilla-directories in your home-directory and in /.cache ?
because these remain even after deinstallation.
so just in case - to be sure - you can delete them.

right now i am also thinking about the question how i could check if my machines might have some malware on the Master Boot Record, or whereever. but i have no idea how i could manage that...

Axios

WetGeek Along those lines I got two file managers I have one program dont remb
what it is at moment but it launches the alternate file manager everything else uses the default.
Not sure why that is never really looked into it.
So for some reason it happens.

brent

related? on xfce my firefox launches on boot. I haven't set this or added this in xfce autostart. and I can't find a firefox setting for this. it's driving me crazy. I may remove my own xfce firefox and reinstall.

appreciate your PSA.

Solarmass

I don't think removing Firefox was necessary, was Firefox (and system) up-to-date?

WetGeek

Solarmass I don't think removing Firefox was necessary,

Since I don't use Firefox, it was an easy decision, whether necessary or not. Things didn't start to go bad until I clicked on a normal-looking link to an article in a email from a news source I work with every morning. I don't have any idea where the exploit came from, or at what point it entered my system. Need I say, this all happened very fast?

It's possible that the email was compromised before it got to me, but I consider that unlikely. It's possible that recent updates of Thunderbird or Firefox were infected - something I consider HIGHLY unlikely. But since I don't know how my system got infected, I just know that it DID, somehow.

If I'd known to be more careful than usual when I clicked the link in the email that launched the browser, I might have avoided all this. That's why I posted this message. By knowing what happened to me, someone else might be able to figure out what happened before it happens to them. I wish I had more clues to offer.

Solarmass

If you think that the system is affected somehow, maybe just reinstall it to be sure 🤷

WetGeek

Solarmass maybe just reinstall it to be sure

I just finished doing that. Mostly configured now. I'm writing this post using it.

BuzzPCSOS

It would be good measure to change passwords on your email accounts too. Typically a good move to make after any unwanted activity.

brent

this is the rare instance I would install CLamAv from flatpak and run it. There will be a ton of false positives.
Of 1000 warnings I got. Libre office suite threw about 990 of them (normal I'm told), and the other 10 were PUP's...

be interesting to see what they flag.

This disgusting behavior you had to tolerate....I haven't see that since Windows days.

WetGeek

brent I would install CLamAv from flatpak and run it

Oh ... too late. I already nuked it and reinstalled. Mostly finished with that now.

brent

WetGeek nice. I would've burned it to the ground to be sure, too. Now you gotta spend a day getting the XFCE where you had it but at least you don't have to worry.

WetGeek

brent Now you gotta spend a day getting the XFCE where you had

Not quite that long, thankfully. It's done now.