We continue to monitor a Fake FLASHPlayer.pkg first reported by F-Secure.com. This type of attack is similar to one conducted in 2007 and 2009. The fake installer alters /private/etc/hosts to add an altered IP for Google Sites. The mapping in the hosts file is considered before DNS resolution thus users are redirected to a site which looks like a login for Google. 

We recomment again, blocking 91.224.160.0/23-Bergdorf Group Ltd. There are known spammers on this network.