One of those two sites is distributing adware. Which of them?

File Converter (FOSS) by Adrien Allard was hosted on file-converter[.]org since a decade. Then someone a few weeks ago snatched that domain and it’s now distributing adware. Almost identical design for the page, 100% designed to deceive users to download a different product, as it’s called Zamzar.

  • Moonrise2473@feddit.itOP
    link
    fedilink
    English
    arrow-up
    131
    arrow-down
    1
    ·
    6 months ago

    In the github issues the dev is aware of this but he’s not completely enraged, just mildly infuriated that the design is too similar and he’s politely asking to have a different design.

    From the history in the wayback machine i don’t see any “parking” page between the switch, so my guesswork is that the dev has been approached with an offer like “we like that domain, we would like to buy it for $$$”, unaware that they would copy the design like that in order to achieve maximum deception of users

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    62
    arrow-down
    1
    ·
    6 months ago

    The benefit of using a package manager like Winget, brew, apt, snap, fdroid is that these attacks are less likely especially with doubly signed reproducible builds like fdroid

    • Moonrise2473@feddit.itOP
      link
      fedilink
      English
      arrow-up
      39
      ·
      6 months ago

      i downloaded an old version from 2017 to see what happens when checking updates on the domain that’s now distributing the scam. Luckily they’re replying with a 404 and not with “install this new update, it’s 100% safe”

      • laura@lemmy.iys.io
        link
        fedilink
        English
        arrow-up
        9
        ·
        6 months ago

        you’d hope that the updater will at least check if the file is signed by the correct entity

    • XNX@slrpnk.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      Couldn’t he have sold control of the repo attached to the package managers and this still would happen?

  • DudeDudenson@lemmings.world
    link
    fedilink
    English
    arrow-up
    26
    ·
    edit-2
    6 months ago

    The domain for my country is .ar and most sites that use said domain use .com.ar

    Someone registered com under the .com.ar domain so if you add .com.ar to any url that ends in .com you get redirected to their adware site

    • criticon@lemmy.ca
      link
      fedilink
      English
      arrow-up
      14
      ·
      6 months ago

      My last name ends with ar so I tried to get a .ar domain to setup a personalized email but it seems like they are reserved for government stuff, I was only allowed to get .com.ar (last time I checked this was about 4 years ago)

      • tourist@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        ·
        6 months ago

        looked up the tld’s again

        your only choice is to get goofy

        Could try .army, .red or .republican (who the fuck approved that lmao)

        • TheIllustrativeMan@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          Gotta get creative to get any decent addresses these days. I’ve been trying to establish a company name (with an available, short-ish, simple URL) and it’s surprisingly difficult, even getting into weird TLDs. Really annoying, especially since a lot of them aren’t actually being used.

          Finally found a 9 character made-up word that I could get the .us TLD for, and I think that’s about as good as it’s going to get.

  • irotsoma@lemmy.world
    link
    fedilink
    English
    arrow-up
    25
    arrow-down
    1
    ·
    6 months ago

    It seems it’s not so much they stole the domain, it’s that they are using the same name with a different top-level domain. This is a common shady practice in malware. Most people can’t afford to purchase every TLD or their domain and so just pick one or two. Problem is that search engines will find the bad TLDs and suggest them over the real TLD if the malware providers do proper SEO manipulation. A FOSS author is unlikely to be able to or afford the time and effort it takes to manipulate search results and most popular search engines are not doing much to fix the problem, and instead relying on “AI” to reduce the costs of maintaining their search results, which does a pretty bad job, IMHO.

    • trolololol@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      6 months ago

      Would fdroid be safe from this kind of practice? Of course there’s no web domains involved but the exploit there is potentially the same

    • Moonrise2473@feddit.itOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      originally it was hosted in the .org domain, then somehow it changed hands and it was changed to .io

  • Andrew@piefed.social
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    6 months ago

    There was a great windows app called ‘dvdshrink’ that let you rip commercial DVDs onto blank DVDs (shrinking them if necessary). It got taken down with a Cease & Desist, but the MPAA or whoever didn’t worry about who took the domain. For a long time, the site was just filled with ads instead - now it’s a bit more sophisticated: no real link to download the software, but lots of genuine-seeming donation requests.

    The fake site is at the first search result for that software (edit: it’s probably best not to link directly to it)

    • Potatos_are_not_friends@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      Makes sense.

      Its literally a weekend job and a few bucks to quickly set up a fake site. Even with a single $20 donation are you already recouping your losses.

  • entropicshart@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    6
    ·
    6 months ago

    This is why I refuse to use any download buttons on websites for FOSS apps; if it’s FOSS, it has a link to the source, which has releases, and is the safest way to ensure you’re getting what you actually want.

      • Moonrise2473@feddit.itOP
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        No, I tried it in a VM and it’s a completely different app. It seems like a shitty electron app that sits forever in the tray wasting ram just to upload files in their cloud for conversion instead of converting locally. And then it shows prompt to subscribe from the tray

  • TrixxedHeart@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 months ago

    This is always what scares me about FOSS having their own websites like this. What happens when that domain runs out and this exact thing happens???