It Started with an Email….

“My computer is secure. It’s a Mac.”

It started with an email from I guy I know and have worked with from time to time but never been particularly close to. Let’s call him Bob.

2015-06-22-1

Not visible in the image above – the From line in the message indicated Bob’s email address where the sender’s name usually goes, followed by an email address – <info@flipmailer.com>, suggesting this wasn’t really from Bob at all. And it claimed that Bob “would like to add me as a friend”. What sort of friend? It’s not a Facebook message. A “Flipmailer” friend? What’s that?

Hovering my mouse over both the Accept and Decline buttons in the message led to links on flipmailer.com – whatever that was.

So I emailed Bob, forwarding him the message and asking if it was something he’d initiated. His reply: “I can’ t explain… you are the third person to ask me about this. Do you have an explanation for me? Is there some way of stopping something like this?”

So I googled “flipmailer” and saw multiple listings of questions of whether it was malware, how to remove it, and more. Google’s Safebrowsing service claimed that flipmailer.com was “not currently listed as suspicious”, and McAfee SiteAdvisor similarly claimed “This link is safe” – but all those things indicated was that the actual webpage was not directly serving up malware.

Flipmailer.com connected to another “service” – flipora. Their website headlines “Flipora automatically learns what you like and helps you discover content that matches your interests” and includes links to Apple app store and Google Play Store apps along with NY Times, BBC, and other reviews.

The NY Times link pointed to a 2010 business section article reporting that “Infoaxe, a startup that helps users find better search results based on their Web history, just announced that it has raised $3 million in a first round of funding.” – no mention of Flipora, Flipmailer, and no review of the promised service; the CNN link opened a PDF of a 2009 article about Infoaxe, served up by Flipora. A Techcrunch link went to a 2012 story mentioning that Infoaxe had been rebranded as Flipora.

None of these answered why there should be a flood of messages to people who’d been in Bob’s email contact list asking them to “friend Bob” by clicking on a link to Flipmailer.com.

Googling for help on removing Flipora led me to <http://emmanuelcontreras.com/content/how-remove-fliporainfoaxenet-spam-extension>. Potentially useful to me, but a bit overwhelming to Bob – he’s a musician, not a tech guy, he noted, and “I find a lot of ‘advice’ from sites like that expect people to be ‘intuitive’ about this stuff –  and I’m not!” And the instructions are designed for Windows users, but Bob’s using a Mac.

(But Macs don’t get Windows malware, I hear you thinking.)

Bob dropped off his Mac laptop, after first changing his email password with Telus.net – a large Canadian phone company. He noted that even after changing his password he was still getting emails from folks wondering about the “friend requests”.

Bob had Safari and Firefox web browsers on his Mac. It turned out that the Telus.net emails were auto-forwarded to a Gmail account that he accessed using the Mail application on his Mac.

In the spirit of Emmanuel Contreras’ how-to-remove-flipora article, I checked for extensions and add-ons to Bob’s installations of Safari and Firefox. His Safari installation looked pretty clean. It opened to a Telus.net homepage and had no unusual-seeming extensions.

His Firefox installation, though, had Ask.com as the home page with the Ask Toolbar on display. When I queried him, neither of these were things he’d wanted – so I changed the home page and removed the toolbar. He also had a Firefox plugin, Trovi, also unwanted. A blog posting on removing Trovi from Mac OS X suggested (among other steps) resetting Firefox to its defaults, which I did. I also deleted a Trovi plugin that was sitting in his ~/Library/Internet Plugins folder.

Just to be on the safe side, I deleted all cookies from both Safari and Firefox. A bit of a pain, to be sure, as now Bob will have to re-enter passwords and other information in a host of websites.

One more thing, though: Since Bob was a Gmail user (behind the scenes), I logged on – using his user name and password – to http://google.com/accounts and clicked on the “Connected apps and sites” link in the page’s Sign-in & Security section. There I saw a listing I was unfamiliar with: “Friend Connect”. Apparently a 2008 Google product aiming at competing with Facebook, according to a Wikipedia page, it was essentially “retired” in March 2012.

I don’t know if that had anything to do with the flood of bogus “Friend” emails claiming to be from Bob, but I “revoked its access” to Bob’s account.

Bob’s got his Mac back, and I haven’t heard of any more complaints from his email contacts.

So, can Macs get malware? Bob’s computer had (in common with millions of Windows systems) the generally unwanted Ask.com Toolbar installed in Firefox, probably the result of installing Java or some other application. He had the Trovi adware plugin in his Mac’s Internet Plugins folder. Was Flipmailer/Flipora using a Friend Connect app leaching off Google services to access his Gmail contacts – essentially anyone he’d ever emailed or who had ever emailed him?

I don’t know, but I do know that as Mac owners increasingly make use of platform independent cloud services they are going to be increasingly affected by platform independent malware. Mac users – like Windows users – are going to have to pay attention when installing software and services (like Oracle Java’s bundling the Ask.com toolbar by default) and be wary of clicking to “Accept” random “Friend requests”.

Keywords: #flipmailer #flipora #infoaxe #friendrequests

Short link: http://goo.gl/ZrLGeu

searchword: friendrequests