Someone is targeting web denizens with a malicious, copycat Malwarebytes website, which serves up the Raccoon information stealer malware to unsuspecting visitors. According to the security firm itself, the attackers set up the domain “malwarebytes-free[.]com” with a domain registrar in late March.
“Examining the source code, we can confirm that someone stole the content from our original site but added something extra,” according to
a posting from the security firm this week. “A JavaScript snippet checks which kind of browser you are running, and if it happens to be Internet Explorer, you are redirected to a malicious URL belonging to the Fallout exploit kit.”
Further, the fake Malwarebytes site is being used in a malvertising campaign via the PopCash ad network, researchers added. Fake Malwarebytes ads served up by the PopCash network take visitors to the watering-hole site. The firm said that it contacted PopCash to report the malicious advertiser.
Whether they arrive via organic means or via an ad, once visitors hit the site, the Fallout exploit kit (EK) is used to infect vulnerable machines with the Raccoon data-harvesting malware. Raccoon scours systems for credit card information, cryptocurrency wallets, passwords, emails, cookies, system information and data from popular browsers (including saved credit-card info, URLs, usernames and passwords), and then sends that data back to its operator.
