Back to previous post: Literary history of the slashtastic kind

Go to Making Light's front page.

Forward to next post: Dysfunctional Families: Forgiveness

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

September 20, 2013

Phun with Phishing
Posted by Jim Macdonald at 12:33 PM * 20 comments

My goodness! Look what showed up as a pop-under in a new window as I went cruising around the web this morning!

This had opened in a new window. I didn’t notice it right away; who knows what page had it hitching along like a lamprey. (I’m told that things like this infect the ads that are served by legitimate ad-servers that are installed on legitimate pages.)

It seemed bogus to me: For one thing I’d just updated Firefox, and Firefox’s update notices don’t appear in anything even close to this format.

The full text reads:

Outdated Browser Detected
You are currently using - Firefox 24 - which is now outdated Please Update The Latest Browser Version (Recommended)

UPDATES IN THE NEWEST BROWSER VERSION:
1. Security

1.1 The newest browser version protects you better against scams, viruses, trojans, phishing and other threats. They also fix security holes in your current browser!
2. Speed

2.1 Every new browser generation improves speed
3. Compatibility

3.1 Websites using new technology will be displayed more correctly
4. Comfort & better experience

4.1 WIth new features, extensions and better customisability, you will have a more comfortable web-experience

The file it asks you to download is called “Firefox_setup.exe.” What that is, according to AVG, is adware plus a trojan dropper.

Naturally I reported this to Google’s “Report a Web Forgery” site.

This is a pretty good malware site, as such things go. At least all the words were spelled right. Only one capitalization error. I have no doubt that it will fool some of the unwary.


The greyed-out fine print at the bottom of the page reads,
Privacy Policy · Terms & Conditions · Uninstall · Contact
Disclaimer: We are not affiliated nor partnered, with Firefox. Firefox has not authored, participated in, or in any way reviewed this advertisement or authorized it. All trademarks, service marks, logos, and/or domain names (including the names of products and retailers) are property of their respective owners.
Modified Installer: This website is distributing custom installers which are different from the originally available distribution. These new installers comply with the original software manufacturers’ policies and terms & conditions, however, they are not the originals. Optimum Installer is an install manager, which manages the installation of your chosen software. In addition to managing your download and installation, Optimum Installer will offer free popular software that you may be interested in. You are not required to install any additional software to complete your installation of your selected software. You can always completely remove the programs at any time in Windows’ Add/Remove Programs.
Comments on Phun with Phishing:
#1 ::: Duncan J Macdonald ::: (view all by) ::: September 20, 2013, 12:44 PM:

I also suspect that the phrase "They also fix security holes in your current browser!" might be an indicator of malicious intent.

#2 ::: Jim Macdonald ::: (view all by) ::: September 20, 2013, 12:47 PM:

Lack of a serial comma is also a clue.

#3 ::: P J Evans ::: (view all by) ::: September 20, 2013, 01:20 PM:

This particular example would set off my WTF reaction because FF24 just got to my system yesterday.

I have, however, gotten emails of the same style purporting to be from my non-Gmail provider, shortly after their system was upgraded.

#4 ::: Jack Heneghan ::: (view all by) ::: September 20, 2013, 02:00 PM:

You made me look, and my FireFox upgraded itself to 24.

#5 ::: chris ::: (view all by) ::: September 20, 2013, 02:52 PM:

How many scams start by offering to protect you from scams? I bet it's a lot.

#6 ::: David Langford ::: (view all by) ::: September 20, 2013, 03:43 PM:

"PublishAmerica has detected Jim Macdonald on your computer! Click here to install our urgent fix for this malware, which is directly responsible for the current situation in Syria."

No, I don't suppose they're even that clever.

#7 ::: Clifton ::: (view all by) ::: September 20, 2013, 05:17 PM:

chris @ 5: Not quite the same, but these days quite a fraction of the Nigerian 419 scams are aimed at addressing people who have been taken by previous 419 scams, and offering them compensation. Looking at it from the scammers' standpoint, it makes beautiful sense - after all, that way you're going to reach the ones who not only were dumb enough to be taken in the first time but who are still falling for it.

#8 ::: Alexander Kosoris ::: (view all by) ::: September 20, 2013, 05:40 PM:

At least you can always completely remove the programs at any time using Windows' Add/Remove Programs.

#9 ::: Fragano Ledgister ::: (view all by) ::: September 20, 2013, 06:45 PM:

David Langford #6: You win One Internet. Please collect it from P.O. Box 419, Lagos, Nigeria.

#10 ::: rm ::: (view all by) ::: September 20, 2013, 10:58 PM:

I'm not sure why scammers are incapable of writing officialese competently. It's always a little off, even without majorly glaring grammar and spelling errors. The sentences aren't quite right.

Two ideas. One, scammers only put in enough effort to fool the really gullible, and the great majority of people don't read well enough to see the linguistic markers. The bad guys don't want extremely literate people responding to these appeals.

Two, some scammers do write really well, and find themselves recruited by Bigger Operators. What's the robbing of a bank compared to the founding of a bank?

#11 ::: Alex R. ::: (view all by) ::: September 20, 2013, 11:00 PM:

The NSA can't write better than that?

#12 ::: John ::: (view all by) ::: September 21, 2013, 12:14 AM:

"(I’m told that things like this infect the ads that are served by legitimate ad-servers that are installed on legitimate pages.) "

Error in parsing: "legitimate" along with "ad-servers" and the consequent "ad-servers that are installed on legitimate pages".

Legitimate websites do not display un-vetted ads from third parties.

Any website that displays 3rd party ads deserves adblock.

('"advertising" is a dead medium' is a different, related problem.)

#13 ::: John ::: (view all by) ::: September 21, 2013, 12:17 AM:

rm @10: They are deliberately, actively including obvious bullshit that is trivially detectable.

It's a filtering function: If you're not the kind of clueless user who would ignore that kind of error, they don't want you. If you DO ignore that kind of error, you're more likely to also ignore any further mistakes and give them money for their obvious scams.

The blatant errors exist *so that* the scammers don't waste time on the not-scammed-by-obvious-scams brigade.

#14 ::: Rob Rusick ::: (view all by) ::: September 21, 2013, 07:05 AM:

I looked at the Jim's screen capture. I was struck that while on first glance it gives the illusion that it's a Firefox installer, the orange swash around the globe is not the firefox — it's an orange arrow.

Also interesting was the helpful 3 pt type in 10% grey at the bottom. Here's a transcription:

Disclaimer: We are not affiliated nor partnerered with Firefox. Firefox has not authored, participated in, or in any way reviewed this advertisement or authorized it. All trademarks, service marks, logos and/or domain names including the names of products and retailers are property of their respective owners.

Modified Installer: This website is distributing custom installers which are different from the originally available distribution. These new installers comply with the original software manufacturers policies and terms & conditions. However, they are not the originals. Optimum Installer is an install manager, which manages the installation of your chosen software. In addition to managing your download and installation, Optimum Installer will offer free popular software that you may be interested in. You are not required to install any additional software to complete your installation of your selected software. You can always completely remove the programs at any time in Windows Add Remove Programs.

#15 ::: Dave Bell ::: (view all by) ::: September 21, 2013, 08:45 AM:

Rob, that sort of installer-with-extras gets used by some legitimate free software. They're sometimes a sort of advertising, but I am strongly disinclined to trust any software distributed in that manner. When the situation gets as murky-grey as this one, they don't make bargepoles long enough.

#16 ::: David Langford ::: (view all by) ::: September 21, 2013, 10:03 AM:

#15 – I don't much like it, either, when otherwise respectable freeware comes with unrelated opt-out-if-you-happen-to-notice extras like downloading some web browser and making it your system default.

#17 ::: Cassy B. ::: (view all by) ::: September 21, 2013, 10:48 AM:

Heck, I was livid when, a month or two ago, an otherwise perfectly unexceptional Microsoft Update reset my homepage to msn.com and my default search engine to Bing.

#18 ::: Jeremy Leader ::: (view all by) ::: September 21, 2013, 07:27 PM:

John @12:

Legitimate websites do not display un-vetted ads from third parties.
Any website that displays 3rd party ads deserves adblock.

John, do you include our hosts in the category of "illegitimate websites"? I don't know what blogads.com's vetting process is, but I had the impression the MakingLight folks aren't directly involved (though I thought they had the ability to kick out ads they find objectionable after they've noticed them, but I could be mis-remembering).

#19 ::: John A Arkansawyer ::: (view all by) ::: September 21, 2013, 08:01 PM:

It was in one of those ads that I read here just today that Carolyn Cassady was dead. How I feel about that I don't know.

#20 ::: Clarentine ::: (view all by) ::: September 24, 2013, 04:44 PM:

John @13 - I'd observed a similar pattern of deliberate misspelling to weed out the wise and aware on Facebook; (un)amusingly, those posts still get forwarded ad nauseum. I suspect that says something about the average Facebook user.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 by Patrick & Teresa Nielsen Hayden. All rights reserved.