About a week ago, a reader asked for help with a nasty typo squatting incident:
The site, “yotube.com”, at the time redirected to fake tech support sites. These sites typically pop up a message alerting the user of a made-up problem and offer a phone number for tech support.
Investigating the site, I found ads, all of which can be characterized as deceptive. In addition to offering tech support, some of the ads offered video players for download or even suggested that the user has to log in to the site, offering a made up login form. If a user clicks on these ads, the user is sent to a number of different redirects. For example:
For example: (URL parameters removed to make this more readable)
hxxp://inclk.com/adServe/feedclick (URL the ad linked to)
At the time, the ads were hosted at “inclk.com.” Inclk.com is a URL used by RevenueHits, an ad network.
Knowing where these ads come from, I set up an account with RevenueHits and added ads to a test page. So far, I have only gotten deceptive ads like the following:
The ads usually claim that a video player is used to view the page, or they suggest that software like a Flash player is out of date and needs to be updated. In one case, it even suggested that I need to log in to view the site and redirected me to a login page, which could be considered phishing.
Next, you are offered a download:
Below this dialog, a hard to read disclaimer is displayed (I left the colors "as is." Click on the image for a full-resolution version):
Virustotal identifies the resulting download as "Adware." I didn't install it, but from experience, the installer will install a valid Flash Player in addition to a bunch of adware, often in the form of browser toolbars.
Now, these ads were after all displayed on my page, and I had an account set up with RevenueHits. So I decided to inquire about the deceptive ads I received:
The moment I submitted this request, I received the following (obviously automated) response:
The ads continued to be displayed on my site. A business day later, I received a manual reply to my initial question:
I still receive exclusively deceptive ads from RevenueHits. However, at least the results are not that bad. RevenueHits would pay me $0.36 for the one "click through" it counted. I haven't set up payment details with them and have no intentions of claiming the prize ;-)Defending Web Applications Security Essentials - SANS San Francisco Spring 2020
Jun 7th 2017
2 years ago
My partner got one of these on his iPad which appeared to come from Apple (All the domain names in the mail were validly apple.com), but said to call the number to get his device unlocked. Unfortunately he called the number and gave them his email and Zip code before getting nervous and calling me.
His safari browser had been sent a malware page which could not be exited from. It was easy enough for me to go to settings and dump all Safari history to recover. The 866 number given was listed as a known scammer using a quick google search.
Jun 9th 2017
2 years ago