I’m seeing Trojan:JS/Flafisi.D detections and Tech Support Scams on the Edge browser Start page

Update: A member of Microsoft's MSN Engineering Team (RodrigoLode(MSFT) has responded to acknowledge the malvertising issues associated with MSN portal. They have also requested " If anyone is still experiencing this, please reply here." For more specifics on information requested please refer to the reply from Rodrigo at the following link:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/im-seeing-trojanjsflafisid-detections-and-tech/8fbe8eaf-1af0-4e76-9ab0-57828f631a5f?page=7&messageId=3661a31c-2019-4808-a88b-283919038cc1

In addition to reporting the fake pop-ups themselves I would advise that you take note if there is a significant loss of performance on computer after encountering, in particular, the fake Adobe Flash Player update. If things seem sluggish you may have been subject to one of the more prevalent malicious activities known as crypto-mining/coin mining.

Invisible resource thieves: The increasing threat of cryptocurrency miners
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/

Especially important to report these occurrences or any other odd behaviors after using MSN website.

Moderator Edit: Provided update.

Just reading the “Comey trolls Trump” article on the Edge Start page and this pops up:

 This one was easy to handle because it was just the old-fashioned dialog loop based scam:

– but what’s coming next Microsoft?

GreginMich

[Original Title: Surprised again]

 

Discussion Info


Last updated February 17, 2020 Views 21,075 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hey Greg,

I've seen reports of those coming from any page that includes advertising, including MSN which is the source of the default page for Edge as well as IE 11 as I recall.

I turned off these start pages in favor of a blank page immediately myself, not for this reason, but rather simply because I don't like the lag and noise these create when I open a browser.

I did have difficulty figuring out how to stop them with new tabs in IE 11 though, until I found out there was a separate control for this within the Internet Options - Tabs section on the General tab.

As Julia often mentions as well, I've found that ad blocking is the most effective method to stop these, since it's the advertising networks who distribute the initial scripts and typically don't vet their advertisers well if at all.  What a surprise huh?

Rob

I’ve seen that specific popup numerous times using Edge, using Chrome, using Internet Explorer, using Win 7, using Win 10, using a Vista, using Windows Defender, using Emsisoft Antimalware, using Kaspersky Free and with one common denominator…Yahoo webpage.  Have received complaints from acquaintances about the same popup –  also on Yahoo.

 

Yahoo says there is nothing wrong on their webpage and that the issue must be on all of the computers I’m using.  Uh Huh!  Yeah!  Sure!

 

No problems closing down the browser when I see the popup though once I had to use Task Manager.  No suspect browser extensions found and "Quick Scans" after restart found nothing either.

Have not seen in a couple of weeks on any computers I'm using though there’ve been more reports of it on the forum.

MVP Consumer Security 2014-2016
Windows Insider MVP 2016-2018

I’m certainly not surprised to see something like this while I’m using the Edge browser – but I’ve never seen anything like this on a Microsoft site before, and I’ve been browsing from the Start page every day since Edge was launched – first multiple detections for Trojan:JS/Flafisi.D last week, and now this. Since Microsoft's home page is a big source of advertizing dollars these days, I would expect Microsoft to show a little interest in cleaning up its act just to keep users from switching over to another startup page (or another browser), or from installing an ad-blocker. But I sure appreciate the feedback here, because I wasn’t fully aware of the scope of this issue.

GreginMich

I understand what you're saying and from what I've personally seen, Microsoft's pages receive less of these than most others.  However, the design of the advertising structure itself is the real problem here and always has been.

As I understand it, the ad networks contract to provide advertising to the page owners like Microsoft, which they then use to supply access to particular demographic groups to the advertisers, who buy these by blocks of ads.  With this isolation between advertiser and page owner, it's the ad networks that are responsible for vetting and with the margins they make, there's little interest by them in performing this action.

I believe I've seen mention of yet another layer in these transactions, but even without this it's easy to see why the problem exists.  The page owner simply wants revenue, as does the ad network and the advertiser just wants their ad to reach lots of potentially valuable eyes.  In the case of popup purveyors, the demographics are only partially important, since what they're truly after is simply potential targets who might be prone to responding to their scams, which could be anyone.

With the trends towards more targeted systems and apps, the interest in general web pages is declining, so this makes any additional effort to protect and maintain this avenue of less concern at all levels as well.  I think we're simply seeing a symptom of this decline as the more knowledgeable user moves away from the browser to devices with apps, which by their nature are less susceptible to such simplistic forms of attack.

Just think back about the typical type of user we've seen here over time, with the more knowledgeable mostly disappearing as those still holding onto the older technology appear to be most common now.  It might seem that this is due to the better protection provided by Windows 10 and current security it includes, which to an extent may be true, but I feel it's more a reflection of this migration to modern devices and apps within the consumer market.

Rob

But passing the buck won’t help protect the people who use the Microsoft Start page, or solve the issue of trust. Sites that host malware like this are considered “compromised” – and since this is a Microsoft site, they’re ultimately responsible for doing whatever it takes to break the supply chain and clean things up. It’s not just about protecting their bottom line – it’s about protecting their reputation and their customers.

 

 

GreginMich

I didn't say anyone was passing the buck here, though it's obviously possible in this scenario, it's just not possible to truly manage the security of these advertisements when such a convoluted, layered set of systems exists.

I don't think Microsoft is ignoring this or they'd be spewing far grater numbers of these similar to the issues that Le Boule mentioned Yahoo has been generating lately.  I've personally never seen a single such popup generated by any Microsoft website and only one single popup in all my years of normal browsing.

On the other hand, I can experience dozens of these in a single session of purposefully risky browsing behavior, most generated directly by the websites being browsed.  This is most likely where many of the reports we see here daily come from, though some number are also clearly experienced via advertising on news pages and the like.

I think that Microsoft is more focused on the future of Windows itself, including not only Windows 10 S, but also the Windows Core OS including the Polaris version targeted at consumers and other light-duty users.  I suspect that this is where they'll actually solve these types of problems, since many of these problems exist due to legacy components more often used in business.

Rob

We’ve already had several confirmations that Trojan:JS/Flafisi.D is being detected while reading news articles on the Edge Start page, and this is emphatically not the new normal – we don’t normally have to worry about malware attacks and Tech Support Scams on respectable sites. But now we’re seeing them on the Microsoft Start page, so this really is surprising. If it isn’t possible to manage the security of websites, and to clean them up once they’ve been compromised, then we’re in a world of trouble here – because the Edge Start page will then have to be added to the list of risky sites, and blocked by Windows Defender SmartScreen. So if Microsoft can’t focus on the here and now, and fix this issue, then I’m not even sure that it will have a future.

This thread was simply intended as a wakeup call – we’re being attacked by malware on the Edge Start page, and this is not business as usual.

GreginMich

I’ve already run scans with Malwarebytes and the Kaspersky Virus Removal Tool, and nothing shows up – but I just noticed something odd when I went to research Trojan:JS/Flafisi.D: Except for the first item on the search results list, which is this local thread:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/trojanjsflafisid/b70661cc-5b98-4e9b-9db4-f76d5b1bb69c

I just get pages and pages of SpyHunter sponsored sites in different languages. So now I’m wondering if my issue might be the effect of some undetected browser hijacker.

GreginMich

Ever tried ZHPCleaner? It targets browser issues.

https://www.nicolascoolman.com/download/zhpcleaner/

~bhringer

I’ve reproduced the search engine issue on a couple of other PCs by just searching for “Trojan:JS/Flafisi.D”. Is this SEO poisoning gone crazy, or is there maybe a deeper issue here (it’s almost as bad as the local search engine issue). This is all too much extra work if I can’t find a usable search engine, so I’m inclined to just sit back and let things run their course. This issue definitely seems to be a parallel with the Yahoo issue, since these attacks are clearly site-specific – but then again, it’s hard to prove that there’s a general issue when the attacks are so sporadic. Tomorrow I’ll see if I can reproduce the detection/scam on a second machine, and maybe run some more scans on this one. So thanks for that tip, bhringer.

GreginMich

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.