These people have something to hide if they are doing this..
Regularly across the internet, if you don’t have an advert blocker, you see fake green “Download” buttons on websites with adsense / adwords adverts.
Spot the advert – right hand side below the “(free download)” link on the paint.net site. A green download button.. then a load of white space and then a logo. It isn’t clear to normal users that this is an advert. It ls less clear that the advert actually takes you to a website that isn’t about paint.net, won’t give you paint.net and will install other advertising software or software that is massively privacy invading.
Then the fishy stuff starts. If you click the advert* for the first time you get this page:
Firstly another website with a fake download button and no description about what you are actually about to download. If you scroll down another page past half a page of white space there are some grey links with “Terms & Conditions” etc.. but deliberately unclear.
But.. if you click it again and any further times from any computer on the same IP address you instead get:
Why would an advertiser do this… unless they have something to hide?
For starters it will make tracking down the source of malware difficult. If I visit a customer and look at their internet history there is a high chance I will discount this domain / website as the source. After all – there are no download options on the second site and it doesn’t look too suspicious.
Secondly.. I expect it also means that, when reported to Google and if Google customer services reps all use the same IP, they are likely to see the second “clean” site and not the one that is attempting to infect users.
This makes me angry.
Names associated with this scam:
Monkey Web Stats / monkeywebstats.com (126.96.36.199 LIQUIDWEB)
“REWATER PRESSURE – REINVENTING WATER PRESSURE” / rewaterpressure.com (188.8.131.52 LIQUIDWEB)
lambadacamera.com / Lambada Camera (184.108.40.206 LIQUIDWEB)
In the past I’ve seen them use an encrypted usb stick sales site to carry out the same scam.
Click the fake download button and you get taken to “http://lambadacamera.com/?country=uk&ball=cow&” which on first visit gives you a fake download / potentially unwanted software:
Upon second visit it looks like a legitimate website / product:
Update: 18th November 2015. I’ve come across another domain. Rewaterpressure.com with equally iffy adverts (spot the MASSSSSIVE fake download button at the top of the page).
Further visits then show a supposedly legitimate product page for some “coming soon” water pressure product.
Update 18th Jan 2016:
Another website with the same scam on a different domain http://www.genius-router.com. Upon second visit you get a page supposedly a “really good” broadband router.
Upon first visit from the advert you get the crapware download page.
The router claims to have wifi (where as the picture of a CISCO router doesn’t) . The dimensions are also hilarious. They claim the router is 30.33 inches wide! Far wider than the standard 19inch rack mount CISCO router shown in the photo.
When you try to buy the “genius router” you get a Paypal page saying the recipient is unable to accept funds.
Update 22nd Jan 2016:
They’ve moved onto using myofflinebackup.com
Other related domains are: