- Feb 4, 2016
- 2,520
A French security researcher has stumbled upon an adware delivery scheme that involves clone websites that use legitimately-looking domain names to trick victims into downloading famous apps, but which are actually laced with adware.
The first of these websites was discovered three days ago by Ivan Kwiatkowski. This website was located at keepass.fr, a domain name trying to pass as the app's official site located at keepass.info.
Apps downloaded from these sites push InstallCore adware
The version of Keepass downloaded from this fake website contained a legitimate and fully-working version of the password manager, but also the InstallCore adware [1, 2].
...
.....
...
This type of adware is a modular threat that works by bundling free software with third-party "offers" as part of the application's installation process. For example, here's a version of the ImgBurn bundle prompting users to install a free version of the AVG antivirus. For every successful installation of an additional program, the adware bundler earns a commission.
...
....
...
Tens of similar websites discovered
The fake Keepass.fr website was not the only such site. It was part of a larger collection of typosquatted domains, all registered using the same email address.
Other domains registered by this individual/group tried to pose as websites for other famous software such as 7Zip, Paint.net, Inkscape, Scribus, GParted, Celestia, Audacity, Filezilla, Truecrypt, Blender, AdBlock, and more.
Most of these domains were registered using a .fr or .es TLD. The content on these sites was also available only in French or Spanish, suggesting the person behind these sites was trying to push the adware-infested apps to French-speaking or Spanish-speaking users only. A few sites were also available using international TLDs, and in English.
Below are sites that pushed copies of legitimate software bundled with this adware:
...
.....