Cloned website Pushing Adware
News | 07/31/2018

Adware Bundling hits Popular website platforms – Cloned!

About: French Security researchers recently discovered a deceit involving the distribution of adware programs via clone websites with legitimate looking domains. These legitimate looking clone websites use domain names that resembles the popular & official...  Read More  

| News | Adware Bundling hits Popular website platforms – Cloned!

Cloned website Pushing Adware

An adware delivery ploy was uncovered recently that involved the distribution of adware programs via clone websites that use legitimate looking domains.  The deceit came to light when a phony website keepass.fr was discovered that replicated the official site keepass.info. Keepass is an open source password manager tool that helps users to manage their passwords for Windows network logon, websites FTP password, email account, online passwords etc in a secure manner.

Cloned website Pushing Adware

InstallCore adware is pushed when apps from this clone website are installed

The clone of Keepass password manager app appears legitimate and is fully functional. However it is infected with the malicious InstallCore adware.

Cloned website Pushing Adware

InstallCore is an adware program that bundles popular legitimate applications along with malicious third party applications. The user is lured to install the application that comes with a popular title without being aware of making the system susceptible to other adware infections. The offers shown in ads may be legitimate but they do not come alone. They are accompanied by other apps that may be malicious. For instance, crypto currency miners, browser hijackers, adware etc may be pushed along with the legitimate apps.

The motive behind this act is solely monetary. Each successful installation of additional adware programs earns a commission fee to the adware bundlers.

Other similar Cloned website Pushing Adware discovered

Keepass.fr is not the only cloned website. It is just a part of much collection of  typo squatted domains.

  • Typosquatting URL’s: It is a form of cyber squatting that relies on mistakes made by internet users like typos when inputting a website address.

For instance: If movies.com is a legitimate site, the typosquatter’s URL could be:

  1. moveis.com – A misspell based on typos
  2. movie.com – Differently phrased domain name
  3. movies.org – A different top level domain etc

Typos made by users will land them on typosquatter’s website tricking them into thinking that they are on the real web page.

Other fake domains registered by this individual/group used famous sites such as:

  1. Truecrypt
  2. 7Zip
  3. Inkscape
  4. Audacity
  5. Fileilla
  6. GParted etc.Cloned website Pushing Adware
  • Different TLD (Top Level domain): TLD is the highest level domain in the hierarchical domain name system of the internet. For instance, in the domain movies.com, top level domain is com.

TLDs mainly used for the registered fake website are .fr and .es. For example, audacity.fr, truecrypt.fr, blender3d.fr, filezilla.fr, thunderbird.es, audacity.es etc

Cloned website Pushing Adware

Moreover, the content of these fake websites is either in French or Spanish depicting that the targeted audience of these cyber criminals is either French or Spanish. However, a small fraction of these websites contained content in English and utilized international TLDs.

The fact that all these malicious cloned sites are hosted on the same server has made the entire operation susceptible to an easy collapse.

Tips for the users to save form Cloned website Pushing Adware

Users are recommended to be cautious while downloading any software even from a legitimate site.

Moreover, scanning the software with an authenticated antivirus tool is a good practice. It spares users from additional headaches by detecting the threats.

Hits: 316

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Jaipur
Rajasthan 302033
Phone: +91 9799661866