Fishy junkware adwords scam adverts

These people have something to hide if they are doing this..

Regularly across the internet, if you don’t have an advert blocker, you see fake green “Download” buttons on websites with adsense / adwords adverts.

monkeywebstats fake download button

Spot the advert – right hand side below the “(free download)” link on the paint.net site. A green download button.. then a load of white space and then a logo. It isn’t clear to normal users that this is an advert. It ls less clear that the advert actually takes you to a website that isn’t about paint.net, won’t give you paint.net and will install other advertising software or software that is massively privacy invading.

Then the fishy stuff starts. If you click the advert* for the first time you get this page:

*url: http://www.googleadservices.com/pagead/aclk?sa=L&ai=C1QHEk68oVsMkyqWEBJCphfANpu_q2gbe8_XGgwLAjbcBEAEgtuHZBGC7_sSD0AqgAfK9ncUDyAECqAMByAPBBKoEek_QQ59Kwc8JMt_e4lZbzrX22DV5ZRSBoN19B_Vgj6ymJkpXuI7grZ-WM3XUV1C6FrRUuHzIuLubAdjoLiU1btEPRi2tch1aBQCC4eS9jb-IY3NOAGXftHW2l9gfL_nxXTey8S3RlUBq14by8RC-qMG7mz1irnec9OrsiAYBoAYCgAf2weI6qAemvhuoB7XBG9gHAdgTCA&num=1&cid=5Ghr7tfl52W-PxCB6vi5PeF7&sig=AOD64_1YnE640hBl-S30v6VvGKFEO3i5pg&client=ca-pub-4343851330510276&nm=10&mb=2&bg=!9_RE9Gs5oCtRp0wCAAAAXlIAAAApKgEJAmGMkzLjuPtFiYmeVjRu-61A83efHGs_0MvR32n30CxtoTACBubKeKyyLe-kSN57sy3_hvpVO3rQD5gE5synfYiHvuRmxS2B3rRO9YWHot5sUyGjD62ksiNfIF86MhJdbkQCmtkr87ImGZayZzzzsmb111JypNkmTC6LaRZck9GjSeJL7BrympHso2T4HbkbEoOi52ZE8sN5xJBNqYquGWGhHUDrwy-HoFkIPbLqSWd5xbEMLhKgc4gYKyt3m8-hDAVugrIwT0lDkrcFoXa7q8F85Vfi3OUcT8_RhWxxHKETz9psOnEvI4LPl_xW-rL60wf0HSajJeGejifGq_qcbbMmVfAANBlrOw&adurl=http://monkeywebstats.com/%3Fcountry%3Duk%26brt%3Dd99r

monkeywebstats landing page first visit

Firstly another website with a fake download button and no description about what you are actually about to download. If you scroll down another page past half a page of white space there are some grey links with “Terms & Conditions” etc.. but deliberately unclear.

But.. if you click it again and any further times from any computer on the same IP address you instead get:

monkeywebstats landing page further visits

Why would an advertiser do this… unless they have something to hide?

For starters it will make tracking down the source of malware difficult. If I visit a customer and look at their internet history there is a high chance I will discount this domain / website as the source. After all – there are no download options on the second site and it doesn’t look too suspicious.

Secondly.. I expect it also means that, when reported to Google and if Google customer services reps all use the same IP, they are likely to see the second “clean” site and not the one that is attempting to infect users.

This makes me angry.

Names associated with this scam:

Monkey Web Stats / monkeywebstats.com (64.91.226.50 LIQUIDWEB)
“REWATER PRESSURE – REINVENTING WATER PRESSURE” / rewaterpressure.com (64.91.229.160 LIQUIDWEB)
lambadacamera.com / Lambada Camera (64.91.234.232 LIQUIDWEB)
In the past I’ve seen them use an encrypted usb stick sales site to carry out the same scam.

Update: 15th November 2015. These people have moved onto using a different domain / website “lambadacamera.com / Lambada Camera”

pdf creator adwords lambadacamera com scam 1

Click the fake download button and you get taken to “http://lambadacamera.com/?country=uk&ball=cow&” which on first visit gives you a fake download / potentially unwanted software:

pdf creator adwords lambadacamera com scam 2

Upon second visit it looks like a legitimate website / product:

pdf creator adwords lambadacamera com scam 3

Update: 18th November 2015. I’ve come across another domain. Rewaterpressure.com with equally iffy adverts (spot the MASSSSSIVE fake download button at the top of the page).

scam2.png

scam1.png

Further visits then show a supposedly legitimate product page for some “coming soon” water pressure product.

Update 18th Jan 2016:
Another website with the same scam on a different domain http://www.genius-router.com. Upon second visit you get a page supposedly a “really good” broadband router.
Upon first visit from the advert you get the crapware download page.

The router claims to have wifi (where as the picture of a CISCO router doesn’t) . The dimensions are also hilarious. They claim the router is 30.33 inches wide! Far wider than the standard 19inch rack mount CISCO router shown in the photo.

When you try to buy the “genius router” you get a Paypal page saying the recipient is unable to accept funds.
The Privacy Policy page on the genius router scam site seems to be a copy and paste of “Checkpoint”‘s Privacy Policy.

Update 22nd Jan 2016:

They’ve moved onto using myofflinebackup.com

Other related domains are:

nowcontentfarm.com
stylemyself.net
rockbatteries.com

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s