I’m seeing Trojan:JS/Flafisi.D detections and Tech Support Scams on the Edge browser Start page

Update: A member of Microsoft's MSN Engineering Team (RodrigoLode(MSFT) has responded to acknowledge the malvertising issues associated with MSN portal. They have also requested " If anyone is still experiencing this, please reply here." For more specifics on information requested please refer to the reply from Rodrigo at the following link:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/im-seeing-trojanjsflafisid-detections-and-tech/8fbe8eaf-1af0-4e76-9ab0-57828f631a5f?page=7&messageId=3661a31c-2019-4808-a88b-283919038cc1

In addition to reporting the fake pop-ups themselves I would advise that you take note if there is a significant loss of performance on computer after encountering, in particular, the fake Adobe Flash Player update. If things seem sluggish you may have been subject to one of the more prevalent malicious activities known as crypto-mining/coin mining.

Invisible resource thieves: The increasing threat of cryptocurrency miners
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/

Especially important to report these occurrences or any other odd behaviors after using MSN website.

Moderator Edit: Provided update.

Just reading the “Comey trolls Trump” article on the Edge Start page and this pops up:

 This one was easy to handle because it was just the old-fashioned dialog loop based scam:

– but what’s coming next Microsoft?

GreginMich

[Original Title: Surprised again]

 

Discussion Info


Last updated August 13, 2019 Views 20,630 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

"So the payload is really irrelevant, and the point (once again) is that there’s an open malware channel on the MSN news pages."

You can sit around and pontificate about who's truly responsible to manage the security of the advertising distributed from websites until you're blue in the face.

Or if you have a modicum of intelligence, you'll realize that the only one truly responsible for your security is yourself, so by simply using an ad blocker or Internet Explorer's Tracking lists for reputable websites that honor it, you can avoid this issue entirely.

I prefer methods that work to wishful thinking.

Rob

"So the payload is really irrelevant, and the point (once again) is that there’s an open malware channel on the MSN news pages."

You can sit around and pontificate about who's truly responsible to manage the security of the advertising distributed from websites until you're blue in the face.

Or if you have a modicum of intelligence, you'll realize that the only one truly responsible for your security is yourself, so by simply using an ad blocker or Internet Explorer's Tracking lists for reputable websites that honor it, you can avoid this issue entirely.

I prefer methods that work to wishful thinking.

Rob

Did you miss my repeated recommendations for using uBlock Origin for blocking this malvertising campaign; and the fact that I’m currently testing it on designated “blocker-on” days? But if you’re suggesting that I should personally just leave uBlock Origin turned on and forget about this issue, then you’ve misunderstood things pretty badly. I set up this thread in order to monitor the status of this month-long malvertising issue on the MSN news portal. From the standpoint of monitoring things, turning on an ad-blocker just masks the underlying issue. As of yesterday today, MSN viewers are still being exposed to this malvertising campaign, presumably including users on older versions of Windows and/or with third-party AV apps who are reporting this issue by filename, but not reporting any associated AV detection.

Looking around the web, it’s pretty clear that no one else in the security sphere has ever suggested that hosting a malvertising campaign is a no-action-needed scenario for website owners and administrators, and I’m still hopeful that we won’t be setting a new precedent here. But in the long term, malvertising won’t be manageable without local website analytics of some kind, and I was merely suggesting that Microsoft could establish a more advanced in-house website analytics that leverages feedback from Windows Defender Advanced Threat Protection telemetry and analytics. But they could also work with a third-party website security analytics firm that's demonstrated the capability for rooting out these compromised domains (like Malwarebytes).

Since this thread is now only serving to divert attention from the issue at hand, I’ll only be monitoring the high-traffic thread. I'd rather spend my time on prototyping a noiseless directional UHF antenna for spectrum analyzers and RF imagers.

Gadzooks, it’s two-for-one Tuesday at both Wendy’s and the MSN news portal:

GreginMich

Thank you...I've been having both these issues for weeks now, and I was so puzzled because I've been using Windows Defender, and I never go to pages where I would expect something like this to happen...usually just MSN sites...I thought they were relatively "safe".  I'm old and not really tech savvy...your recommendation to use an Ad Blocker is what I'm going to try next, since I did every single thing that Windows Defender told me to, and it keeps happening. 

Microsoft sites generally are safe, and Microsoft has responded to previous malvertising incidents in short order, at least from what I can gather. But this current malvertising incident is still posing a security risk for unsuspecting viewers; and eroding consumer confidence – and it will soon be taking a big bite out of the site’s advertizing revenues as viewers are forced to deploy ad-blockers in order to protect themselves. So this is a no-win situation for all parties concerned, and I can only hope that it does get resolved soon, and recommend using an ad-blocker extension in the interim.

Installing an ad-blocker extension in Edge is safe and easy, because the Settings menu will take you directly to the Microsoft Store, where you’ll find a good selection to choose from. I’m very impressed with the effectiveness of uBlock Origin in mitigating this issue, and also with the way it gives us such a clear window into the extensive domain connection activity that’s going on behind the scenes at all of the high-profile sites. But others have reported success with AdBlocker Ultimate, which is also very well-reviewed. And of course, these extensions are all free, so if you’re unhappy with the first one you pick, you can just switch over to another one:

For Microsoft Edge, find an ad-blocker extension in the Microsoft Store:

Settings and more > Extensions > Get Extensions from the Store

The documentation for uBlock Origin (and the instructions for installing it on other browsers) is available here:

https://github.com/gorhill/uBlock

GreginMich

Greg,

We were both looking on the wrong direction here, focusing on the current malvertising symptom while the deeper issue was occurring inside Microsoft itself.

After Thursday's announcement and it's obvious side effects, I did a quick search today regarding layoffs and found the second article below.

Windows boss Terry Myerson leaving Microsoft amid huge reorganization - Business Insider

Microsoft Layoffs in 2018 Impact Windows and Device Group

"Although the most severely impacted part of the business is the Windows and Devices Group, several other divisions faced job cuts as well. Employees were shed from product groups like “Bing”—the company’s oft-maligned search engine answer to “Google.”"

Since the MSN moniker is really just a legacy label that's likely now nothing more than a logo, I'd guess that most of the remaining portions of this advertising were driven by the Bing group mentioned in the previous excerpt.  If that group was already being reduced earlier this year before the announcement last Thursday, then I'd bet there's no plan to retain these legacy components for the long term, since as I mentioned these were nothing more than a reformatted set of 3rd-party news blogs anyway.

So I think that assuming Microsoft truly cares what happens to these pages is the mistake here, while it's the larger issues of where Windows itself is really headed and what form it takes in the future of Microsoft itself that's truly of concern at the moment.

"Terry Myerson, the executive vice president of Windows who has long been a leader at Microsoft, will leave the company "in the coming months" as part of a big reshuffling of executive leadership announced on Thursday. "

So if I'd taken the time to research deeper at the beginning, I'd have realized this entire discussion was pointless from the start, except as a warning that Windows users should assume that ad blocking is now the only effective method to protect yourself from malvertising on the legacy Windows platform.

Rob

Hi all,

I'm on the MSN Engineering team and would love help if anyone encounter this again. We've been tracking this since it started in mid February. We do quite a bit of work to scan the ads we get from our exchanges, but some behave differently for certain users than they do when we do our scanning. In the future, please continue to submit feedback so we can narrow the scans on our end and potentially reproduce and remove this once and for all. If your page was hijacked and you couldn't view the article, please mention the article headline you've visited as well. 

If anyone is still experiencing this, please reply here. 

Thanks,

-Rodrigo (MSN Engineering)

Hi all,

I'm on the MSN Engineering team and would love help if anyone encounter this again. We've been tracking this since it started in mid February. We do quite a bit of work to scan the ads we get from our exchanges, but some behave differently for certain users than they do when we do our scanning. In the future, please continue to submit feedback so we can narrow the scans on our end and potentially reproduce and remove this once and for all. If your page was hijacked and you couldn't view the article, please mention the article headline you've visited as well. 

If anyone is still experiencing this, please reply here. 

Thanks,

-Rodrigo (MSN Engineering)

Hi Rodrigo,

Your attention to this issue is greatly appreciated by myself as CM and I'm sure other frequent contributors  in Virus & Malware. We seldom get engagement from members of technical teams

To assist in generating more feedback I am requesting this thread be pinned and I have also edited to OP to reflect your request. I included a direct link to your reply as it is somewhat obfuscated being on Page 7

Thanks.

~bhringer

PS As an aside FWIW I noted you replied to another participant in this thread. Out of respect and as part o general accepted protocol your reply should have been to the OP..

Thanks for the pin and for the heads up to reply to OP. I'll follow that guideline going forward.

You're welcome. Looking forward to your input

~bhringer

I just got this issue just now 8 pm Central time 4/9/2018 on a Windows 10 machine viewing the article from the Edge MSN home page: "Tommy Lee's son won't be charged for allegedly assaulting him".  It showed me the fake Adobe Flash update warning and then Defender warned me that it Quarantined: Trojan:JS/Flafisi.D.

This is the 2nd time in a week this same virus hit me from an article from the Edge default page.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.