AT&T Home Page Pop-Up Hack Attempts

Thanks Employee Contributor.  I know of the AT&T security package by McAfee, but have chosen NORTON for added flexibility and more Apple friendly utilities and scans. Again, it seems there are no reasonable 'solutions' at the user level as the source URL's evolve with each new "Fake Adobe" Pop-Up. I've counted thirteen so far. I am confidant the fix needs to be at the HOME SCREEN ad displays that are supplying the Pop-Up take over attempts. So far it is merely aggravating, but may become more lethal as I am not the only user, and other family members may opt NOT to 'close and restart' the browser.  

If you didn't like what ATTCares suggested why did you mark it as a solution?

I'm curious about those "popup ads".  When I go to start.att.net  I see a little banner ad just below the top blue band and above the slide show frame.  I also see two ad frames, one above the other (one happens to be a video), on the right side of the slide show frame.  But nothing is popping up in the way I use the term, i.e., covering all or a portion of start.att.net.  Each ad, as annoying as they might be, is in its own frame on the page and not "popping" up.

If you are actually seeing ad's "popping up" covering start.att.net then something else is causing that and it isn't att.  Which browser are you using?  Have you tried a different browser to see if it has the same behavior?

Hi & Happy New Year XyZZy!!  

The answer to your 1st question is easy.  I am completely acceptive of the corporate contributor's reply pointing me toward AT&T provided security 'solutions' for invasion attempts.  As I noted in my reply, the solution lies more with the Web Site - WebMaster who programs the channels for the ad or "Ad Choices" to verify the ad channels used on the home page are free from malware, trojans, viruses or phish attempts. 

These invasion attempts aren't the customary "pop-up" ad presentations we have been familiar with for decades. These appearances are transfers or diversions to a rapid series of URL's until it lands on one of an apparently selected group of sites that seems to have a 'download' to your hard drive under the guise of a Flash Player update. I listed one URL site in my Dec 23 post, reported to NORTON. Another more recent is: (HyperLink Removed)

hyperlink //savedowngradebesttheclicks.icu/IW_H1vx8fYt6xul5COhIiA?cid=15437600741230465266152449513194274&pubid=1806371-3979200730-0

The displayed "Adobe Update" screen appears like this:

Any involved user would recognize that the source URL was not that of Adobe's, nor is it displayed in the customary notification from Adobe for an authorized update to Flash Player. 

Again, these screens appear only after a series of URL's are displayed in rapid succession (almost like trying to trace a cell phone call) before landing on an apparent selection from a list of URLs that are linked to either the "install" or "close" button, activating some download to target disk. NORTON has no history of these web site/URLs.

So far, there is no apparent invasion to report that either NORTON or I am aware of.

Any Thoughts????

Happy New Year to you too.

I don't know where that (popup) dialog is coming from -- your browser or your some other process on your Mac -- but it's not coming from any of the att web pages.  They don't ever produce popups like that.  I don't care if Norton (or any other AV software) finds nothing.  The simple first checks I would do is check your login items and extensions/addons in your browser if any (did you try a different browser? Which browser is that, safari?).  If it's nothing obvious there you may have to dig deeper (e.g., check the process list, look for launch agents/daemons, etc.).  You can google search for possibilities and/or post to the appropriate Apple Support Communities forum.

Thanks again _xyzzy_ ...  It is Safari, the most recent Mojave release. I'm looking into Chrome or FireFox as a test environment on a partitioned or remote drive. But first, you're right. I'm headed to the Apple Forums with the same information - although these forums tend to be more critical and less forgiving. (Go Figure)

I'm looking into extensions (as you suggest) and internet network logs, but those 'events' are more than just a handful of entries. I still have the impression that these appearances are related to the cycling ad frames arrayed on the AT&T home page. 

In any event, thanks for applying your grey cells to this. You've given an added process to look at.

I'm looking into Chrome or FireFox as a test environment on a partitioned or remote drive

FYI, unless the cause is outside of safari, i.e., your OS is corrupted in some way, you should know that you can have any number of browsers on your system.  They are all independent of one another.  You don''t need to set up separate partitions with entirely separate boot systems just for that.  When I suggested to try different browsers I meant simply download them and try them in your existing system.  If the problem occurs in them then the cause is your system.  If it doesn't then the problem is localized to just your safari.

Copy That...

The "separate" concept was only to isolate all new based browsing from ANY other SAFARI-sourced attributes of historical elements just as an overly cautious approach, _xyzzy_.  I am 'ancient' enough to remember when Apple OS systems were virtually immune from intrusions and the PC Virus worlds.  With your added viewpoint, I'm narrowing down the probable source of these invasions. With luck & persistence they WILL be eliminated.

Thanx again for your input

UPDATE this morning...   Hi, _xyzzy_ !!  The response from Apple Support and the Community was fast and accurate.

Are you sitting down?  

It seems the diversion attempts are related to the ads playing in the various areas of the AT&T home page. I was given an article link to the web site 2-spyware.com (there are others, too) that has described my situation and environment exactly. Community reports that had the same issue with the AT&T home page until they followed the resolution instructions and the events have not recurred, though the caution was that they may re-infect as Taboola serves up ads to many web pages and home pages.

Here is the hyperlink to the web page with the pertinent info. Part of the fix involves editing cookies and 'Quick Web Site Search' entries. We'll see what transpires...

https://www.2-spyware.com/remove-taboola-ads.html

This was the paragraph that hooked me:

"Hackers compromise the ad network to push malicious ads"

I'll know this week if the solution is real...  Just thought you should see this.

Thanks again.