Security News Fake Websites for Keepass, 7Zip, Audacity, Others Found Pushing Adware

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/fake-websites-for-keepass-7zip-audacity-others-found-pushing-adware/
A French security researcher has stumbled upon an adware delivery scheme that involves clone websites that use legitimately-looking domain names to trick victims into downloading famous apps, but which are actually laced with adware.

The first of these websites was discovered three days ago by Ivan Kwiatkowski. This website was located at keepass.fr, a domain name trying to pass as the app's official site located at keepass.info.

Apps downloaded from these sites push InstallCore adware

The version of Keepass downloaded from this fake website contained a legitimate and fully-working version of the password manager, but also the InstallCore adware [1, 2].
...
.....
...
This type of adware is a modular threat that works by bundling free software with third-party "offers" as part of the application's installation process. For example, here's a version of the ImgBurn bundle prompting users to install a free version of the AVG antivirus. For every successful installation of an additional program, the adware bundler earns a commission.
...
....
...
Click to expand...

Tens of similar websites discovered

The fake Keepass.fr website was not the only such site. It was part of a larger collection of typosquatted domains, all registered using the same email address.


Other domains registered by this individual/group tried to pose as websites for other famous software such as 7Zip, Paint.net, Inkscape, Scribus, GParted, Celestia, Audacity, Filezilla, Truecrypt, Blender, AdBlock, and more.


Most of these domains were registered using a .fr or .es TLD. The content on these sites was also available only in French or Spanish, suggesting the person behind these sites was trying to push the adware-infested apps to French-speaking or Spanish-speaking users only. A few sites were also available using international TLDs, and in English.


Below are sites that pushed copies of legitimate software bundled with this adware:

...
.....
Click to expand...
 
  • Like
Reactions: lowdetection, Der.Reisende, Andy Ful and 6 others
LDogg

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
In can be easy for a more advanced user to spot the website address to be false straight away. Others may get taken by surprise. For me however I don't believe I should worry. Always best to look at domains names before entering them.

~LDogg
 
  • Like
Reactions: Der.Reisende, Anubis, spaceoctopus and 2 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Wow
    • Like
    • +Reputation
Massive phishing campaign uses 6,000 sites to impersonate 100 brands
Replies
4
Views
1,049
News Archive
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • +Reputation
    • Like
Cloned CapCut websites push information stealing malware
Replies
0
Views
1,387
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
    • Thanks
RomCom RAT Using Deceptive Web of Rogue Software Sites for Covert Attacks
Replies
1
Views
712
News Archive
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top