Beware The Dangers Of Fake Download Sites

nSuman Garai, CC, shares some first-hand experience as he explains that itncan happen to anyone, even a cybersecurity professional.n

n

nLet’s start with some context – who am I and why am I here? My name isnSuman. I’m studying for a degree in Computer Applications, and I’m prettynpassionate about cybersecurity. I also recently passed my ISC2 Certified inCybersecurity (CC) exam. However – despite my cybersecurity awareness – I’mnalso the recent victim of a fake download site. Knowing that even someonenwho knows to take precautions can be caught out, I’d like to share thendetails of my experience (and the lessons I learned) so you can help protectnyourselves and your users.n

n

nFake download sites pose a serious and subtle threat to unsuspecting usersnby luring them in with the prospect of free or hard to find content whilensurreptitiously distributing malicious malware and engaging in nefariousnactivities. Falling prey to these deceptive sites can result in significantnconsequences that encompass various aspects of an individual ornorganization:n

n

n
• loss of data, privacy and security; identity theftn
n
• financial lossesn
n
• reputational damagen
n
• extended damage to contacts, networks and organizationsn
n
• financial penaltiesn
n
• legal proceedingsn
n

n

n

n

How Did This Happen to Me

n

n

n

nCybercriminals use deceptive tactics, creating fake download sites thatndeceive people from all backgrounds. They use Google ads to lure-innunsuspecting individuals with promises like free software downloads. Theyneven target popular free software applications such as OBS, commonly used byncontent creators. The fake sites are carefully designed to look likenlegitimate ones, making it easier still for someone to fall for their ploy.n

n

nLast summer, I succumbed to the temptation of an enticing proposition. Thenoffer was for a complimentary lifetime license for web security testing toolnBurp Suite Professional. It’s an important tool that I needed to completenmodules on the TryHackMe platform, so it was appealing. Despite havingnenabled Windows Defender with real-time protection, I managed to downloadnthe executable file that was customized to fit my device’s specificationsnwithout triggering any warning signals from the Windows Defender system.n

n

nBut, as I went through the setup wizard and granted administrativenprivileges, I encountered an unexpected setback: multiple command promptnwindows flashed rapidly, raising a red flag. I realized immediately thatnscripts were running without my explicit consent. Alarmed, I searched onlinenfor answers.n

n

nDuring my search, I received a notification on my phone. To my dismay, itnrevealed an attempt to access my Google account from Brazil. I quicklyndeclined the prompt, followed Google’s recommendation to change my password,nand disconnected my laptop from the internet to thwart further unauthorizednaccess.n

n

n

n

One Mistake, Significant Fallout

n

n

n

nHowever, I soon discovered that the attacker had already made changes to mynMicrosoft Defender settings, adding Trojan viruses and backdoors to mynsystem folders in the C: drive, which went undetected due to exclusions.nThough I resolved the exclusions issue, my device remained sluggish, andnsubsequent scans with Defender revealed new strains of malware in just a fewnhours. To make matters worse, on the third day, I discovered my device wasnalso infected with trojan ransomware, which was exploiting my modest NVIDIAngraphics card to mine cryptocurrency.n

n

nI started to receive notification chimes from Facebook and Twitter in thenlate hours of the night. The notifications I received from Facebook regardednposts liked and pages followed – of which, of course, I had no recollectionnand were unrelated to my interests. Twitter notified me that my tweets hadnbeen liked. Upon investigating the matter, I was appalled to discover thatnmy accounts had been compromised. Curiously, the absence of 2FA SMS codesnsuggested that they were intercepted.n

n

nIt then dawned on me that my browser had likely been hijacked, granting thenhacker unrestricted access to my accounts. Realizing the severity of thensituation, I needed to sever the attacker’s access to my accountsnimmediately. However, changing passwords on my infected device posed furthernrisks. I opted to use my parents’ smartphones and mine to change thenpasswords promptly, ensuring to clear cache and cookies to preclude residualnthreats.n

n

nAfter regaining access to my accounts, I discovered that obscure posts hadnbeen disseminated from my Facebook account, which I swiftly deleted.nThankfully, no one had received any phishing links. However, my Twitternaccount had been spoofed to impersonate CZ Binance’s official account, withnthree, seemingly authentic tweets on cryptocurrency. Surprisingly, thenhacker had not deleted my previous tweets. Determined to reclaim control, Indiligently worked to restore my Twitter account to its original state,nundoing any damage inflicted.n

n

nAnd yet my saga continued: my Instagram and Pinterest profiles wereninfiltrated. While Pinterest proved to be of little value to them (I had nonposts or followers), my dormant Instagram account was not spared. Monthsnafter the initial cyber intrusion, a friend sent me a screenshot of a post Inhad purportedly made on Instagram, claiming that Elon Musk would double anyncryptocurrency sent to a particular address.n

n

nDenying any involvement, I logged in to discover three identical posts madenover a week or two. To make matters worse, my ‘Following’ count hadnskyrocketed, likely due to my account being used as a bot by the attacker. Inchecked my Instagram direct messages, which appeared untouched, but it wasnpossible that conversations were initiated and deleted to avoid exposing thencompromised state of my account. Realizing the extent of the damage, andnconsidering my account’s prolonged dormancy, I decided to permanently deletenit.n

n

n

n

Implementing Lessons Learned

n

n

n

nFollowing the hijacking episode, I started revising my cybersecuritynmeasures. I adopted a paid password manager, thereby ensuring thensafeguarding of all my accounts through a unique password and a TOTP-basedntwo-factor authentication.n

n

nHowever, the malicious malware that plagued my system rendered itnirreparable, ultimately forcing me to reset my computer to its factorynsettings. Fortunately, I had had the foresight to safeguard my vital filesnin an external hard drive that remained unscathed by the attack and, bynkeeping it disconnected, I ensured its safety. While the process wasnarduous, the extent of data loss was, for me at least, negligible.n

n

nUltimately, my experience highlights the need for continuous education ofnusers. We all know and preach that prudence is crucial in the constantlynchanging landscape of cyber threats, and that caution and good judgment arenessential when downloading software. We advise caution when dealing withnunusual files, unknown file extensions, or before opening executable files.nSimilarly, we advise vigilance in verifying the legitimacy of URLs andnrecommendations on reputable forums, and to exercise caution even withntrusted sources.n

n

n

n

Better Help Needed

n

n

n

nBut do all your users know what these instructions mean? If the lesson isnanything, it’s that we need to explain in more detail what this advice meansnin the real world. Ultimately, “adopt a discerning approach” and “stayninformed about best practices” can only help safeguard users if we explain,nshow and train – and if we keep them up to date with new threats.n

n

nTeach users to choose trusted sources like the Microsoft Store, ChocolateynGUI, Patch My PC, or the Win-get commands from Chat-GPT, sure – but also benaware that even reputable sources can be manipulated. Teach them to usenvirus scans and tools like VirusTotal that can provide extra protection –nbut educate them to remember that antivirus software is no guarantee againstnskilled hackers either.n

n

nAnd if the worst happens? Well, in case it’s useful: free software from manynof the antivirus vendors can be very helpful in restoring a PC that hasnsuffered a malware attack, if rolling back to factory defaults isn’t annoption.n

n

nSuman Garai, CCnis a cybersecurity professional, with a Bachelor’s degree in ComputernApplications, specializing in Information Security and Mobile Applications.nHis academic background encompasses Offensive and Defensive Security,nDigital Forensics & Investigation, and IT Governance and RisknManagement. He is presently studying for an MSc in Computer Science.

]]>