I clicked one of the legitimate downloads. The link takes you to a new page and waits a few seconds before starting the download.
The most prominent element of this page, centered just below the header, is a large bright green "Start Download" button. That button is part of an advertisement, but is blatantly designed to get the majority of its clicks from users who intended to download software from the project hosted on SF. I see it as a malicious download.
I realize you may have been referring specifically to the recent SF malware bundling, but I want to stress that this ad came up for me on my first try clicking one of those links. Ad's like that have been regular on SF for years; it's impossible to believe that they have made it a priority to prevent them. The opposite seems more likely: the page design minimizes the legitimate controls and emphasizes the scam link.
Even if I know the installer is free of opt out malware I would hesitate to send a SF link to a friend or family member. The clearest call to action they are likely to see is a malicious download impersonating the software they want.
Well, botg does come pretty close to admitting that:
#9 Post by botg » 2018-01-05 09:11
The connections are for fetching offers and, if the user
accepts the offer, the offered file. What the file is
for is written in the offer text. The network requests
to fetch offers are done only after the user has agreed
to it by accepting the privacy policy.
Right, the user has agreed to install some random thing.
#10 Post by TigheW » 2018-01-05 16:55
Sorry man, this isn't "bundled software that people
want" and no amount of repeating it will make it true.
This is a malware downloader bundled with your software
and hosted on your page and you're intentionally
misleading the users who are here directly asking you
if it's safe to run this bundle on their machines. ...
So the site is clearly parasitic, doesn't add anything and detracts from security. The term "malicious" does imply a little more to me though, like it's actually serving me altered software.
I guess the question is whether doing this (injecting yourself into the download flow for an open source piece of software and profiting via ads while doing so) is "malicious". I can see an argument that it is, as at the very least the site very much looks like it's the official site unless you read the small print.
I don't get the ads on that site at the moment. I assume they are the fake download button type of ad?
In any case, we can fight this particular site, but as you point out if this is generated content then I don't see how we're going to manually fight the coming onslaught of similar endeavours, so if the search engines can't keep generated content off their results (and so far they haven't been able to), it's going to be an interesting few years.
Paint.net has ads on their pages, right next to the download page... Their own download link is non-obvious, and the advertisers create full-size ads with a big green button saying "download" ... what the user gets isn't the installer from paint.net proper. I think the fact that the paint.net guys are resorting to allowing ad networks on their main page instead of an inline donate option (like ubuntu) is pretty bad.
Another example, as recently as 3 months ago a search on google for "chrome" would result in a few ads that were for malware like this.
The ones that are in the actual installers upset me a lot... more so in open-source, and one of the reasons people are starting to avoid source-forge like the plague.
The freeware Paint.NET project did something similar. For years their download page had deceptive Download Now links which were actually spam/advertising/malware.
It looks like they no longer do this, for what that's worth, but I still don't recommend it to people. A pity as the application itself is very good.
This looks like spam to me. A lot of the links in the article point to pages on the same site, rather than the original sources. For example, the links for Firefox and Brave point to download pages on TechSpot.
These are worth looking at. The majority of these "Offer Screens" don't look anything like offers, and look everything like license agreements - you know, those walls of text that no-one reads and everyone clicks "Accept" on. There's a 2010 video of the install process here, jump to 3:06min on the NSIS video.
http://installmonetizer.com/AT_Help.php
5 of the 42 Offer Screens are duplicates / same company, so I only count 37 advertisers. That's assuming this is the entirety of the offers available.
At least one of the offers "allows you to find retailers... by inserting contextual links on websites you are browsing". Another says "In order to keep software free, you will be served advertising through in-text and pop-up ads in your browser, they are targeted and relevant."
I'd like to see the return of classic "donationware" shareware - where the app is fully functional but the about box notes that it is shareware and asks you to pay if you end up using it regularly.
Sure scammers could try to pass it off as their own work, bundle it with adware/spyware installers, etc. but what's the point of getting a bogus bundle when you can just download the original for free from the developer's web site?
Note: even "legitimate" download sites like download.com used to be notorious for basically doing just that, and possibly ranking higher than the developer site in search results. They also hosted deceptive ads with large, fake, "download" buttons [1]. The current incarnation seems to have improved in that regard, fortunately.
I've seen it on many free download sites (not that I visited any of them). You click to download a file (enticing!), and you get a splash page of many questionable ads. I'm sure there is some cost sharing involved.
Just for information it seem that only the installer from their website first download page[0] is bundled (it has "bundled" in the name). When in the same page there is a link that says "Show additional download options"[1], in that page you have access to "clean" installers.
I got a message from my host with a link to your site, where you instructed to download and install a file...and I was 100% sure that it was just just a scam, where you sent out spam messages pretending to be hosts, with a link to the blog post where you were asking me to download malware.
In fact I was in the process of contacting customer support of my host, when I noticed the letter I got in recent history.
You should really spend a little time making it look more legitimate,
It's a 730KB downloader installer as used by FileZilla, Angry IP Scanner, and other apps on SF that participate in the Dev Share program. You run it, it shows offers, then downloads the actual GIMP installer and runs that. I did a Virus Total scan of it earlier and the results are here: https://www.virustotal.com/en/file/a63a337b0aa6b2686440802eb...
It seems they've disabled the ability for the GIMP downloader installer posted earlier today to be able to download GIMP now. Possibly so other sites don't distribute it further thinking it's the real GIMP installer?
It's deceptive and there is no reason to believe that after some more backlinks are generated by being deceived, that the owners of the fake site wouldn't change the download to their own modified version.
It's a security nightmare and overall just scummy behavior.
I don't see any misleading links at all. It takes more clicks than it should to actually get to the download, but there was nothing malicious on any of the pages.
It's done intentionally to make the owners a bit of money. They have direct download links on their website (click show all on download page), avoid the green Sourceforge link.
There was a warning box/advertisement at the bottom of the page that my download manager is out of date, with an X to close the box. But it's not an X, it's just pixels, and clicking it pops up a window to download a download manager.
Which makes everything at this site suspect and not worth reading.
Gotcha. Yeah, I see one there. Big green button with a down arrow saying "GET IT NOW" lots of whitespace below and then a smallish rewaterpressure logo. Because of the whitespace, the button very much looked associated with the paint.net download text above, not with the rewaterpressure logo below.
I also received the less bad (but still bad) text-based "start download now" one the same page. You convinced me. Editing my parent post above.
EDIT: for those curious, here's what the page looked like on the page load mentioned above: http://imgur.com/SisOXNT
It's like the site is designed to look like a scam site. It has the generic clip art pushing you to their "FREE" cyber security tools that obviously have no catch, complete with the small pixelated government logo in the corner so you know it's legit.
I realize this one is probably fine, but any security guidelines should say "don't download anything from a site that looks like this." Or I'm going to click on download and it'll ask me for my credit card number to charge me $39.99 for my FREE trial.
The most prominent element of this page, centered just below the header, is a large bright green "Start Download" button. That button is part of an advertisement, but is blatantly designed to get the majority of its clicks from users who intended to download software from the project hosted on SF. I see it as a malicious download.
I realize you may have been referring specifically to the recent SF malware bundling, but I want to stress that this ad came up for me on my first try clicking one of those links. Ad's like that have been regular on SF for years; it's impossible to believe that they have made it a priority to prevent them. The opposite seems more likely: the page design minimizes the legitimate controls and emphasizes the scam link.
Even if I know the installer is free of opt out malware I would hesitate to send a SF link to a friend or family member. The clearest call to action they are likely to see is a malicious download impersonating the software they want.
reply