{"id":6883,"date":"2017-03-07T09:12:10","date_gmt":"2017-03-07T17:12:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/07\/news-674\/"},"modified":"2017-03-07T09:12:10","modified_gmt":"2017-03-07T17:12:10","slug":"news-674","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/07\/news-674\/","title":{"rendered":"A multi-purpose fake online scanner"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Tue, 07 Mar 2017 16:00:14 +0000<\/strong><\/p>\n

Just to show you that behind some PUPs there are threat actors that are too lazy to be bothered, we offer you a fake online scanner that was used to promote the infamous MacKeeper<\/a> and a Windows system optimizer called Advance-System-Care.<\/p>\n

Windows<\/strong><\/h3>\n

The redirect scheme on a Windows machine looked like this.<\/p>\n

From a compromised website we were re-directed to systemcheck[.]club where we got this popup:<\/p>\n

\"\"<\/p>\n

Clicking \u201cOK\u201d offered to start an online scan –<\/p>\n

\"\"-which claimed to find a HIGH risk virus:<\/p>\n

\"\"<\/p>\n

Thankfully these helpful people knew just the tool to remove this virus from our PC and brought us to www[.]advancepctools[.]info:<\/p>\n

\"\"<\/p>\n

Here we installed Advance-System-Care which did not find the virus, but nevertheless had some very important tips on how to improve the system\u2019s performance.<\/p>\n

\"\"<\/p>\n

Pro tip: that phone number will not work as there is a format error in it.<\/em><\/p>\n

That Advance-System-Care did not find the alleged virus is not surprising as Tapsnake is an Android infection that doesn’t work on Windows machines.<\/p>\n

One other thing that did puzzle me, was that I also got this prompt while visiting the systemcheck[.]club site:<\/p>\n

\"\"<\/p>\n

A Windows Internet Explorer prompt letting me know that: \u201cVIRUS FOUND. It is necessary repair your Mac. Please do not leave the page. Click OK to begin the repair process.\u201d<\/em><\/p>\n

But when I showed this to our Mac researchers they had a very plausible explanation for this. Exactly the same fake scan is used to push MacKeeper on Mac systems.<\/p>\n

Mac<\/strong><\/h3>\n

My colleague\u00a0@thomasareed<\/a> recorded the proceedings on a Mac system, leading to the install of MacKeeper:<\/p>\n