While browsing reddit and clicking a link to imgur I found myself accosted by a fake virus warning advert:
The URL in use was:
gpfree0002.pw is registered via a privacy service and the nameservers and web hosting point at DDoS protection service CloudFlare.
The base64 data in the URL above decodes to:
The pop up message on the page reads:
“Your system is heavily damaged by Four virus!”
“We detect that your ” + getURLParameter(‘brand’) + ” ” + getURLParameter(‘model’) + ” is 28.1% DAMAGED because of four harmful viruses from recent adult sites. Soon it will damage your phone’s SIM card and will corrupt your contacts, photos, data, applications , etc.”
“If you do not remove the virus now , it will cause severe damage to your phone . Here’s what you NEED to do (step by step ) :”
“Step 1: Tap the button and install APP for free on Google Play!”
“Step 2: Open the app to speed up and fix your browser now!”
“REPAIR FAST NOW”
“This ” + (getURLParameter(“brand”)) + ” ” + (getURLParameter(“model”)) + ” is infected with viruses and your browser is seriously damaged. You need to remove viruses and make corrections immediately.”
“It is necessary to remove and fix now.”
“Don’t close this window.”
“** If you leave , you will be at risk **”
It also seems to support many and multiple languages.
Upon touch it seems to then redirect you to:
Which in turn sends you on to an App Store app called “DU Cleaner(Boost&Clear Cache)”
Seems like a bit of a long play to get commission payments or similar. I’d expect this kind of scam to actually be trying to trick victims into calling a fake tech support service rather than installing a “free”* app to speed up their phones. (*probably asks for payment to fix errors).
The ilovemobiletrack.com domain is also registered via a privacy service DNS is hosted at CloudFlare. However the hostname click. is a CNAME to kmdhl.voluumtrk.com and is hosted at Amazon AWS.
voluumtrk.com seems to only relate to scams and popup content when you research it on Google. Alexa claims that the site is ranked the 1,668 most popular website in the world! Shows just how widespread this scam / junk is. Their popularity ranking peaked mid-april.
Other domains likely to be involved are: