contadores de paginas web Saltar al contenido

Experiment: Type-in ​​traffic + fake program = infection assured

arespro-ares-com-uy

When it comes to infecting cybercriminals, they basically have two options: send malware directly to victims (spam emails, chat, social networks, etc.) or wait for the victims to go to the malware.

In the second case, one of the most used techniques today is that of BlackHat SEO, attackers place malicious pages in the first results of the search engines or take advantage of vulnerable sites to redirect traffic to them, you can see examples of these attacks in the following articles: Where is Uruguay? (BlackHat SEO), Searching for models on the internet can be dangerous and BlackHat SEO + Java vulnerable = hidden Trojan download.

This second group could also include the malicious use of well-known brands to trick users. Last year, for example, one of the developers of the VLC program, tired of seeing fake sites that took advantage of the player's good reputation, published a list of sites offering paid versions and infected installers on his personal blog as a complaint.

Another example is the ares.com domain, which is used to propagate a modified version of the program that requires the payment of a license. The official page of Ares is actually aresgalaxy.sourceforge.net and the program is completely free:

I've paid for Ares, can I have a refund? Ares is a 100% free program and we don't sell it nor we have authorized third parties to do that. >> aresgalaxy.sourceforge.net/readmore.htm

Experiment Ares.com.uy:

In the last few weeks I was conducting an experiment to see how many people could access the Ares discharge despite being an unofficial version. For the domain name ares.com.uy.

There he put together a page that supposedly offers an improved version of Ares, but you never actually download the program. Users simply go from one page to another, the activity being recorded in Google Analytics.

All measured users accessed the site directly, that is, by typing the address in their browsers, traffic that is called Type-in.

When accessing what they found was the following:

As you can see, the characteristics of the supposed program are described such as direct recording on CD / DVD / BluRay, hidden mode for offices, access to the database of Sony and Warner to download movies, etc. The idea was to describe ridiculous functions that would attract the attention of some and generate mistrust in others.

This page includes a Download button that when pressed, loads another page within the site:

Ac clarifies that it is not an official version of Ares and it is simulated to start the download with the following message:

Starting download of the Ares2012Pro.exe file… the download will start automatically in 5 seconds. If the download does not start click here to start it manually.

The automatic download never actually starts, this way I can directly measure how many people click to start the manual download, that is, they download the program despite not being an official version and having somewhat suspicious functions 🙂

Finally on the last page it is clarified that this is an experiment and that Modified version downloads are not secure:

The results:

Measuring traffic with a stream of conversions you can see that all users who accessed ares.com.uy clicked on the Download button, going to the second page (these data correspond to the last 60 days):

On the second page there is an abandonment of 31.9%. The rest, 68.1% continued to the last page, that is, start manual download.

On the last page of the warning there is an abandonment of 77%, while 23% return to the previous one (will they try to download it again?).

Of course, the experiment lacks scientific rigor and for best results perhaps it should be left running longer. But the data is still interesting, since it is Type-in ​​traffic, users are convinced that it is the Ares site and most do the download despite not being the official version.