Do not trust the "There is a new Codec Pack version" scam
Written by Tomas Meskauskas on (updated)
What is "There is a new Codec Pack version"?
"There is a new Codec Pack version" is a scam run by deceptive websites. By claiming that Adobe Flash Player might be outdated, the scheme attempts to trick users into downloading/installing a fake software updater. Rogue updates are used to spread a wide variety of untrustworthy and even malicious content.
For example, various Potentially Unwanted Applications (PUAs) such as adware and browser hijackers, and malware including ransomware, trojans, etc.
The researched sample (promoted via "There is a new Codec Pack version") installed MyCouponsmart adware and the SearchMine browser hijacker, however, it might also be "bundled" with other, additional PUAs and/or malicious software.
Most visits to deceptive/scam websites occur through redirects caused by intrusive advertisements or PUAs already infiltrated into the system.
Visitors to the web page promoting the "There is a new Codec Pack version" scam first see multiple pop-ups windows. The tag-line pop-up at the top of the web page states that the latest version of Flash Player is necessary to encode and/or decode (i.e., play) audio files in high quality.
Therefore, users are urged to click the download link to install the latest version. The pop-up in the middle of the page claims that Adobe Flash Player might be out of date and thus might have been blocked. Visitors are informed that, to continue using the plug-in, they might need to update it.
The site then displays another window, which overlays the aforementioned pop-up. The text therein recommends that users install a new codec pack to improve performance. The "small-print" at the bottom of the page clarifies that the update might contain supplementary free software offers.
I.e., there is additional content bundled into it. Users can decline these offers or install the updates from official sources. There are also additional details provided concerning the website's privacy policy and information storage. Each of the pop-ups have download, install, update and OK buttons, which initiate download of the bogus updater.
When any button is clicked, the updater is downloaded and the page shows yet another pop-up. The window prompts users if they actually wish to leave the web page. Installing the updates allows untrustworthy and harmful content onto the system.
Products promoted through these dubious methods should not be downloaded or installed, as they are highly likely to cause serious issues.
PUAs are one of the main causes of rogue redirects to deceptive pages (e.g. those running the "There is a new Codec Pack version" scam). PUAs can also force-open other dubious/dangerous sites such as untrustworthy/rogue, sale-based, compromised and malicious web pages.
Adware-type apps (e.g. MyCouponsmart) are also classified as PUAs - they deliver intrusive advertisements that diminish the browsing experience, redirect to rogue/harmful websites, and some can stealthily download/install dubious content.
PUAs called browser hijackers (e.g. SearchMine) operate by modifying browsers, restricting/denying access to settings and promoting fake search engines. Most PUAs (regardless of their specific type) can track browsing-related data, with information of interest including but not limited to IP addresses, browsing and search engine histories, geolocations and personal details.
This private data can then be shared with third parties (potentially, cyber criminals) intent on misusing it for financial gain. The presence of PUAs on a device can thus result in various system infiltration and infections, serious privacy issues, financial loss and even identity theft.
To ensure device and user safety, you are advised to remove all suspicious applications and browser extensions/plug-ins without delay.
Name | There is a new Codec Pack version pop-up |
Threat Type | Phishing, Scam, Mac malware, Mac virus. |
Fake Claim | Scam claims users Adobe Flash Player might be outdated. |
Related Domains | nmifq.ponynebula[.]pw |
Detection Names (nmifq.ponynebula[.]pw) | Full List Of Detections (VirusTotal) |
Serving IP Address (nmifq.ponynebula[.]pw) | 157.185.169.206 |
Promoted Unwanted Application | MyCouponSmart and SearchMine (other content is also likely) |
Symptoms | Your Mac becomes slower than normal, you see unwanted pop-up ads, you are redirected to dubious websites. |
Distribution methods | Deceptive pop-up ads, free software installers (bundling), fake Flash Player installers, torrent file downloads. |
Damage | Internet browser tracking (potential privacy issues), display of unwanted ads, redirects to dubious websites, loss of private information. |
Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
"Update to the latest version of Flash Player", "10 Critical Security Patches For Mac Flash Player", and "Fake Flash Player Update" are some examples of scams similar to "There is a new Codec Pack version". These schemes are furthered through the use of social engineering and scare tactics.
The purpose is to encourage users into performing certain actions such as downloading/installing and purchasing untrustworthy or malicious software, revealing personal information (e.g. banking account or credit card details, etc.), making monetary transactions (e.g. various payments, fees, fines, etc.), calling expensive and fake technical support numbers and so on.
The underlying goal of all these schemes is to generate revenue for the designers.
How did potentially unwanted applications install on my computer?
PUAs can infiltrate devices via fake updaters, however, they can also be downloaded/installed together with other software. "Bundling" is the term used to define this deceptive marketing technique of pre-packing regular products with unwanted or malicious content.
Rushing download/installation processes (skipping steps and sections, using pre-set options, etc.) increases the risk of potential system infiltration and infections. Some PUAs have "official" promotional web pages on which they are endorsed as "useful" and typically "free" software.
Clicking intrusive ads can trigger them to execute scripts designed to download/install PUAs without users' permission.
How to avoid installation of potentially unwanted applications
Research all products, before downloading/installing. Use only official and verified download channels. Avoid Peer-to-Peer sharing networks (BitTorrent, Gnutella, eMule, etc.), free file-hosting websites and other third party downloaders. Software should be updated with tools/functions provided by legitimate developers, as opposed to high-risk third party updaters.
When downloading/installing, read the terms, study all possible options, use the "Custom/Advanced" settings and opt-out of supplementary apps, tools, features and so on. Intrusive advertisements usually seem normal and harmless, however, they can cause redirects to dubious web pages (e.g. adult-dating, pornography, gambling and others).
If you encounter ads/redirects of this kind, inspect the device and immediately remove all dubious applications and/or browser extensions/plug-ins. If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Text presented in the "There is a new Codec Pack version" scam pop-up windows:
Top pop-up:
Latest version of Flash Player is recommended to encode and/or decode (play) audio files in high quality - click here to update for latest version.
------
Center pop-up:
Software update
"Adobe Flash Player" May be out of date
The version of "Adobe Flash Player" on your system may not include the latest flash update and may be blocked. If you use the updated version of "Adobe Flash Player", it might be needed to complete this action.
Later Update OK
------
Second center pop-up (overlays the first):
Highly Recommended!
There is a new Codec Pack version. Download Now
for better performance.
OK------
Pop-up displayed after any of the "update" buttons are pressed:
Are you sure you want to leave?
OK Download Flash...
Text presented at the bottom of the page promoting the "There is a new Codec Pack version" scam:
The download process will be performed by launching mediadownloader, which is a platform for the installation of software ("Installer"). The Installer may include suggestions for the installation of additional free software offers ("Offers"), alongside the Flash installation. You may choose to install the offers during the installation process. You may also remove the offers after you have chosen to install them. IP address will be logged for analytics and fraud detection reasons and will be deleted from our records after 24 hours. You can download Flash without using the Installer from its original site. Your use of the Installer is subject to the Installer's Terms of Use & Privacy Policy. The Installer is not associated or endorsed by Flash. Uninstall
Appearance of "There is a new Codec Pack version" scam (GIF):
Screenshot of instructions detailing how to install the fake Flash Player updates:
Screenshot of the fake Flash Player update installation setup:
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is There is a new Codec Pack version pop-up?
- How to identify a pop-up scam?
- How do pop-up scams work?
- How to remove fake pop-ups?
- How to prevent fake pop-ups?
- What to do if you fell for a pop-up scam?
How to identify a pop-up scam?
Pop-up windows with various fake messages are a common type of lures cybercriminals use. They collect sensitive personal data, trick Internet users into calling fake tech support numbers, subscribe to useless online services, invest in shady cryptocurrency schemes, etc.
While in the majority of cases these pop-ups don't infect users' devices with malware, they can cause direct monetary loss or could result in identity theft.
Cybercriminals strive to create their rogue pop-up windows to look trustworthy, however, scams typically have the following characteristics:
- Spelling mistakes and non-professional images - Closely inspect the information displayed in a pop-up. Spelling mistakes and unprofessional images could be a sign of a scam.
- Sense of urgency - Countdown timer with a couple of minutes on it, asking you to enter your personal information or subscribe to some online service.
- Statements that you won something - If you haven't participated in a lottery, online competition, etc., and you see a pop-up window stating that you won.
- Computer or mobile device scan - A pop-up window that scans your device and informs of detected issues - is undoubtedly a scam; webpages cannot perform such actions.
- Exclusivity - Pop-up windows stating that only you are given secret access to a financial scheme that can quickly make you rich.
Example of a pop-up scam:
How do pop-up scams work?
Cybercriminals and deceptive marketers usually use various advertising networks, search engine poisoning techniques, and shady websites to generate traffic to their pop-ups. Users land on their online lures after clicking on fake download buttons, using a torrent website, or simply clicking on an Internet search engine result.
Based on users' location and device information, they are presented with a scam pop-up. Lures presented in such pop-ups range from get-rich-quick schemes to fake virus scans.
How to remove fake pop-ups?
In most cases, pop-up scams do not infect users' devices with malware. If you encountered a scam pop-up, simply closing it should be enough. In some cases scam, pop-ups may be hard to close; in such cases - close your Internet browser and restart it.
In extremely rare cases, you might need to reset your Internet browser. For this, use our instructions explaining how to reset Internet browser settings.
How to prevent fake pop-ups?
To prevent seeing pop-up scams, you should visit only reputable websites. Torrent, Crack, free online movie streaming, YouTube video download, and other websites of similar reputation commonly redirect Internet users to pop-up scams.
To minimize the risk of encountering pop-up scams, you should keep your Internet browsers up-to-date and use reputable anti-malware application. For this purpose, we recommend Combo Cleaner Antivirus for macOS.
What to do if you fell for a pop-up scam?
This depends on the type of scam that you fell for. Most commonly, pop-up scams try to trick users into sending money, giving away personal information, or giving access to one's device.
- If you sent money to scammers: You should contact your financial institution and explain that you were scammed. If informed promptly, there's a chance to get your money back.
- If you gave away your personal information: You should change your passwords and enable two-factor authentication in all online services that you use. Visit Federal Trade Commission to report identity theft and get personalized recovery steps.
- If you let scammers connect to your device: You should scan your computer with reputable anti-malware (we recommend Combo Cleaner Antivirus for macOS) - cyber criminals could have planted trojans, keyloggers, and other malware, don't use your computer until removing possible threats.
- Help other Internet users: report Internet scams to Federal Trade Commission.
▼ Show Discussion