Ever tried to watch a tv series or movie online? And after you finally found a website that looks legitimate, now all you need to do is download or update Adobe Flash Player? You better check your computer ASAP, as you may have downloaded some severe malware.
How the scam works
Users search for a website where they can watch the desired TV show, sports game, or movie and reach sites that appear legitimate with a wide range of accessible shows. But then the maze begins.
When our research team entered this website, we got redirected to various malicious operations/URLs, such as:
- A malicious Chrome extension download page
- Malvertising
- Fake update scams.
Scammers who work in this form have a chain of duplicated websites all performing the same scam, so a user can think he is browsing to different sites, but these sites are all part of the same scam. Furthermore, if one site gets shut down, the scammers have a backup.
##Let's examine one of the redirected websites:
Get your popcorn; let's watch it in action:
What a piece of scammy work. You're probably wondering, how can you tell if a software is malicious?
There are several ways to identify:
-
In most cases, a user will get redirected to these sites from a pop-up; if the "update" suddenly appeared out of the blue, it is very likely a fake update.
-
Is the download/installer even the promised product? As we can see in the video, Adobe flash player update is featured, yet in the installer, we can see HD Video Player. Major sign for malicious downloads.
-
Pop-up messages that constantly keep appearing:
- The website puts a significant emphasis on the downloading process.
- "Custom Install" Vs. "Express" in the installer. Usually, when installers offer these options, the "express" option (which is selected by default) may install additional software to the user's computer, such as other potentially unwanted programs (PUPs). In this case, it downloaded the WebDiscover toolbar, which gives the user an unpleasant experience. Also, we can see in the video that every search in this toolbar redirects the user through another search engine.
The Infection:
The WebDiscover toolbar is a customized Chromium browser (An open-source web browser project developed by Google) that changes the user's start pages and default search engine in the user's installed web browsers. Once the WebDiscover Browser is installed, the following symptoms will appear:
- The browser's default homepage will change to WebDiscover Homepage.
- The browser's search provider will transform into a built-in search box to WebDiscover Search.
- New tabs will launch with the modified search portal page.
- WebDiscover will load itself into the user's web browser creating an extension or add-on.
How to protect yourself from getting infected
- Download Adobe updates and software only from primary websites, e.g., https://get.adobe.com/flashplayer/
- When browsing online, follow the website URLs. If you get redirected from an initial webpage, take extra care and consider this a stop sign.
- Always check that the software you downloaded matches the name of what you intended to download.
- Browse with a protection tool that can detect and block such scam sites.
