Researchers found a network of websites that are offering cracked software downloads loaded with malware. The software is usually disguised as legitimate software updates.
A team of researchers from cybersecurity firm Sophos published a report last week revealing how the cybercriminals behind these sites are infecting users with click fraud bots, information stealers, and even ransomware to steal confidential user data and gain access to vulnerable devices.
Researchers found a whole network of WordPress websites that lure online users with the promise of cracked software or free apps.
‘Most of the bait pages we found are hosted on WordPress blog platforms. Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate identifier codes to an application that then redirects the browser session to yet another intermediary site, before finally arriving at a destination,” Sophos researchers wrote.
Once a user clicks on the download link, they are automatically taken to a different website that installs unwanted browser plug-ins and malware on their device.
These include Stop Ransomware, installers for Raccoon Stealer, the Glupteba backdoor, and a few cryptocurrency miners that are sometimes disguised as antivirus software.
Another trick that attackers use is to manipulate and lead users to their websites through web notifications. When a user visits their website for the first time and allows them to send web notifications, they spam the user with false attacks and security threat alarms. The user is then encouraged to click on the links provided by the attacker to protect their device from non-existent malware.
After clicking on links, they are taken to a website that sends them to a malicious site. The attackers then unwittingly download and install malware on their system. These attackers also use SEO tactics to rank their websites at the top and trap more amateur visitors.
Recently, one such “warez” website, a popular Pakistani platform called InstallUSD, has been secretly dropping malware inside cracked versions of the software under its malvertising network facade.