Cloned website Pushing Adware

An adware delivery ploy was uncovered recently that involved the distribution of adware programs via clone websites that use legitimate looking domains.  The deceit came to light when a phony website keepass.fr was discovered that replicated the official site keepass.info. Keepass is an open source password manager tool that helps users to manage their passwords for Windows network logon, websites FTP password, email account, online passwords etc in a secure manner.

InstallCore adware is pushed when apps from this clone website are installed

The clone of Keepass password manager app appears legitimate and is fully functional. However it is infected with the malicious InstallCore adware.

InstallCore is an adware program that bundles popular legitimate applications along with malicious third party applications. The user is lured to install the application that comes with a popular title without being aware of making the system susceptible to other adware infections. The offers shown in ads may be legitimate but they do not come alone. They are accompanied by other apps that may be malicious. For instance, crypto currency miners, browser hijackers, adware etc may be pushed along with the legitimate apps.

The motive behind this act is solely monetary. Each successful installation of additional adware programs earns a commission fee to the adware bundlers.

Other similar Cloned website Pushing Adware discovered

Keepass.fr is not the only cloned website. It is just a part of much collection of  typo squatted domains.

• Typosquatting URL’s: It is a form of cyber squatting that relies on mistakes made by internet users like typos when inputting a website address.

For instance: If movies.com is a legitimate site, the typosquatter’s URL could be:

1. moveis.com – A misspell based on typos
2. movie.com – Differently phrased domain name
3. movies.org – A different top level domain etc

Typos made by users will land them on typosquatter’s website tricking them into thinking that they are on the real web page.

Other fake domains registered by this individual/group used famous sites such as:

1. Truecrypt
2. 7Zip
3. Inkscape
4. Audacity
5. Fileilla
6. GParted etc.

• Different TLD (Top Level domain): TLD is the highest level domain in the hierarchical domain name system of the internet. For instance, in the domain movies.com, top level domain is com.

TLDs mainly used for the registered fake website are .fr and .es. For example, audacity.fr, truecrypt.fr, blender3d.fr, filezilla.fr, thunderbird.es, audacity.es etc

Moreover, the content of these fake websites is either in French or Spanish depicting that the targeted audience of these cyber criminals is either French or Spanish. However, a small fraction of these websites contained content in English and utilized international TLDs.

The fact that all these malicious cloned sites are hosted on the same server has made the entire operation susceptible to an easy collapse.

Tips for the users to save form Cloned website Pushing Adware

Users are recommended to be cautious while downloading any software even from a legitimate site.

Moreover, scanning the software with an authenticated antivirus tool is a good practice. It spares users from additional headaches by detecting the threats.

Hits: 324