Could this be a False Alarm?

[tmcd]

I would like to run something by you to see what you think of the situation before I attempt any fixes or repairs to one of my computers .... Norton wants me to do some stuff that is complicated and I wonder if it is necessary .... It involves Comcast's Xfinity Online Email Program and NoScript.

The following was done using the Comcast Web Email Application using Firefox 3.6.24 and includes "NoScript".....

* I got an email from a friend in China. She was coming to the USA for business and wanted to let me know. This is normal and not at all unusual. She included a new Email Address. I saved it to my Addressbook in the Xfinity Online Email program.

* When I went to use the new address to reply to her, NoScript in Firefox blocked the use of it as a "possible" ClickJack issue.

* I immediately did a full scan using the Norton Symantec Security Suite.

* It found nothing wrong and said my PC was OK.

* I went to write an email and the same thing happened again.

* So I did another Full Scan with Norton and got the same thing - Nothing wrong.

* I then went online into the Xfinity program and erased the email and erased the address, in fact I erased all the address in the address book to be careful.

* Since that time I did another full scan, I also used various other security programs such as spyware blaster, Malwarebytes antimalware, and Spybot Search and destroy.... All show everything as being OK.

The new email address she sent was a strange one ... I do not remember it exactly, but it looked something like: 12334444 @ qq.com

I am wondering if the address being so strange could have caused a false alarm in NoScript ... Do you have any experience with anything like this?

Best regards,

[Tom T.]

Among the comments at the site-rating site mywot.com for the parent company of QQ:

It's one of the largest IT corporation in China, having hundreds of millions users in the China, famed for its product QQ, the most widely used IM client in the country. However, the company has, at the same time, been largely blamed for stealing private data (It's indicated that the programs it published secretly scan all the files on users' hard drive) and assisting the government by leaking private information of users, e.g. monitoring chat between Chinese human rights activists and providing the log to the government, to be used as evidences in the lawsuits against these people. The comments on the WOT reputation card of qq.com reflected this in a certain degree as well. "

I can't personally vouch for that comment. But my HOSTS file service won't let me connect to the parent web site, listing it as hosting a "back-door", i. e., a Trojan Horse-type virus that creates an invisible opening for future attacks and control without the user's knowledge.

It sounds like Comcast, Norton, and NoScript are all trying to do you a favor. I'd take the hint myself.

If in fact you have been infected already, and it hasn't been detected, you could try a couple of the free AV programs, one at a time, such as (alphabetically), Avast, AVG, and Avira. Or take it to a trusted local shop for professional detection and removal.

Incidentally, the last time I had SpywareBlaster on a machine, it was only a preventive tool, essentially the same as the Hosts file referred to above, rather than a detector or remover. That was some years ago; don't know if they've added detect/remove.

When the clickjack warning happens, what does it say? Post the message here if you can. Also, look in the Firefox Tools > Error Console for any red Error messages, or any other messages (mostly blue Info) that pertain to [NoScript], and copy/paste them here.

*************
Some might suspect a spam post here, but there were no actual links, and you were kind enough to break the email address/link, so I take that as a sign of good faith, thanks.

[Alertnotalarmed]

@tmcd
The clickjack warning was produced when you were using a Comcast web enabled email application, right?
If so, then the reputation of qq is a side issue while Comcast's is the main issue.
You got the warning while you were using the Comcast email application, didn't click anything? - so NS protected you straight up.
The email address alone can't produce any clickjacking activity unless the email application treats it differently to any other email address.

Having an email address in your database is no cause for concern unless the database is getting used by an application that shouldn't be using it.
You may want to go further with the steps recommended by Norton, but that's not something anybody can advise you about on this forum, and you should be very wary about taking advice from anywhere on the web rather than from a security application that you've trusted enough to install on your system.

For what this forum can actually answer for you:
Do you know that each NS clickjack warning has a number that you can report here? I'm guessing that you could use the same email address in your Comcast email application to try to reproduce the NS clickjack warning and report the number here if you want to find out if it's a false positive.
If you've heeded the NS warnings so far, you will be covered by NS.
Only people who click after they've been warned get into trouble.

[Tom T.]

[

@tmcd
The clickjack warning was produced when you were using a Comcast web enabled email application, right?
If so, then the reputation of qq is a side issue while Comcast's is the main issue.

I get the impression from the OP that s/he has used the Comcast app before, without incident, and that this was unusual behavior.

You got the warning while you were using the Comcast email application, didn't click anything? - so NS protected you straight up.

Agree that if nothing was clicked and no connection made, the user was probably protected. But then, why the AV alarms?

The email address alone can't produce any clickjacking activity unless the email application treats it differently to any other email address.

Per the admittedly-brief research, it appears that that address also includes instant messaging, just as Yahoo or AOL e-mail do, if you allow them to. It might not be separately deniable in the Chinese application. Connecting (or trying to connect) to that email might auto-connect to the IM, which might have been what produced the warning. I don't know how the Comcast e-mail system works; if you have detailed knowledge, please do share it.

Having an email address in your database is no cause for concern unless the database is getting used by an application that shouldn't be using it.

Agree. But I'd still scrub it, so that no application can use it.

You may want to go further with the steps recommended by Norton, but that's not something anybody can advise you about on this forum, and you should be very wary about taking advice from anywhere on the web rather than from a security application that you've trusted enough to install on your system.

Does that include you?

For what this forum can actually answer for you:
Do you know that each NS clickjack warning has a number that you can report here?

When the clickjack warning happens, what does it say? Post the message here if you can.

Thanks for echoing that.

If you've heeded the NS warnings so far, you will be covered by NS.
Only people who click after they've been warned get into trouble.

Outlook and Outlook Express, for example, have had numerous security holes that NoScript might not prevent, once you allow this *desktop* application to have web access. In the early days, they opened all attachments by default, leaving a field day for evildoers.

Again, if you have certain knowledge of Comcast's system, please share it. Else, re-creating the warning and posting all details - including the Error console as well as the warning # -- may help to see if there is a problem.

In the meantime, not sure if you're advocating that OP do as Norton says, or not. My advice was: If you're unsure about doing what Norton says, get some more "second opinions" from other AV providers. What is the harm in this, other than setup time?

Agree with the nickname -- alert, not necessarily alarmed -- but I stand by the advice not to attempt to send or receive mail from the qq domain. Nor to deal with tencent.com, the (apparently corrupt) parent who is accused of installing trojans, among other things. Which may have alarmed the AV provider.

@ tmcd:: What exactly does Norton want you to do?
It's a peace-of-mind issue. I agree that from the sound of it, no actual damage occurred. But not knowing about Xfinity...
(Some review sites have given better rankings to some of the AVs I listed than to Norton, although those tend to change over the years.)

[Alertnotalarmed]

@Tom T

Not interested in anything except the clickjack warning question.

Don't have any connection with Norton or any other AV application.
Just trying to focus the question for tmcd which seems to have got lost in your first response.
Can see you seem to have been left minding the shop and are doing your best to help but you seem to have missed a bit of basic detail here and there

Am familiar in general with the style of web messaging that Comcast provides - you may recognise the same style with the names yahoo and google - and although tmcd appears to imply that Norton has detected something resulting from using the Comcast messaging, there's not enough detail in their post for NS support to conclude anything other than that they were online, using Comcast, when the clickjack warning was triggered. Or they were perhaps in offline mode and NS detected image overlays in the cached stuff. Clickjacking warnings won't be produced outside Firefox, will they? - you seem to think something other than Firefox installed on the desktop is involved here. But all we have to go on is that Norton is involved - apart from Firefox and NS. Could be some extension like a toolbar. Who knows?

And just a little observation, from someone whose day job is consumer advocacy in a small firm:
qq is the biggest messaging company by users on the net, so it is fair to expect that it's been compromised - just the same as google and yahoo have been. The difference between qq and google is that Norton and maybe Comcast (not decided yet whether Comcast has blacklisted qq - from tmcd's information) would go out of business if it blacklisted google. Evildoers is such a fatuous word, don't you think?

Sorry I can't be around to contribute any more, but work calls.
Good luck and all that.

[therube]

SpywareBlaster ... it was only a preventive tool, essentially the same as the Hosts file

Not particularly.
SpywareBlaster's main purpose is to set ActiveX related blockers in the Windows Registry.
MS does this from time to time too, during their monthly security updates, though what SpywareBlaster does is more extensive.
You run the program every so often, update it, it adds new blockers, you close the program, & that's it.
It does not run real-time & does not use resources.
And it's free.
Can't fault it.
SpywareBlaster
(It also can add cookie blockers & such, but that is not its main purpose, IMO.)

[tmcd]

Thanks for all the help everyone ....
A) I am using a different PC until I feel secure in using the other one.
B) I am in the middle of a project today but will get into all these suggestions tomorrow.
C) I did read the email (using an ONLINE WEB Application supplied by the ISP and did not use Outlook, etc)
D) I did not reply because NOSCRIPT blocked the use of both that new address and her old address (both were used in the email)
E) I erased both the email and the address book the same day ... Both were online and neither was "downloaded" on to my PC into any email program.

Thanks much ...

I will let you know what happens ....