Beware: fake websites are targeting open source software users with malware

Just because a domain name looks official, does not mean it is. Questionable companies are publishing fake websites of well-known open source projects, trying to lure open source users into downloading malware. Please be careful and make sure to always download your tools from the right location.

TL;DR: always get greenshot from getgreenshot.org

What has happened?

Recently we have been contacted by a user who reported that he got a malware warning on an installer that he had downloaded from what he thought was our website. It did not take us long to sort out what the actual problem was: he had openend a browser, typed “greenshot” and appended a top-level-domain that is commonly being used for free and open source software, assuming that this URL would bring him to Greenshot’s official website. The site does not look very professional, but it clearly describes Greenshot’s features and has prominent download buttons for Windows and Mac. So what could possibly go wrong?

Well, unfortunatey that domain is not (and has never been) under our control. In fact, the domain had already been registered when Greenshot’s website was still living on a subdomain on sourceforge.net, ages ago. When we first noticed it, the page could have been (euphemistically) classified as fan page. It offered some information and screenshots of our software, had download links to our binaries on Sourceforge, and had multiple advertisements, particularly but not exclusively for an well-known commercial screenshot tool. Questionable, but tolerable. Obviously not profitable, though. So at some point they have started serving modified binaries, presumably installing unwanted toolbars in the user’s browser.

So who is running that website?

According to the privacy policy, the website is operated by a French company called “Data Access Sarl”, while the responsible editor of the content is “In Profit Limited” from Hong Kong. A short research on the web revealed that this pair is running dozens of similar websites for other well-known open-source projects, including 7-Zip, KeePass, Paint.NET, Gimp, Inkscape and many others. We probably only saw the tip of the iceberg, but the vast amount of registered domains named after open-source projects is a clear sign that deliberatly misleading users is merely a business case for them.

Honestly, we don’t know. We are software engineers, not lawyers. You probably know that Greenshot is (and has always been) developed by few guys in the little spare time they have beneath their full-time jobs and families, so we cannot afford both time and money to pursue this legally. If you can, feel free to get in touch with us.

What can I do?

  • Watch out where you download software. If you do not know a project’s domain, your preferred internet search engine most probably does - so don’t just try the most obvious domain at a venture.
  • If you’re in doubt, check the file before downloading. Websites like VirusTotal allow scanning of a downloadable file using its URL, so better avoid downloading potentially infected files in the first place.
  • If you get a malware alert and are sure that the downloaded file is from an official source, contact the project team about it. They need to know this. Chances are, the alert is a false positive and they can sort this out quickly. If not, they do have a problem and need to investigate as quickly as possible.
  • If you stumble upon a website deliberately spreading malware:
    • Don’t spread the malicious link: even while warning others of mischiveous websites, never share the full URL in public places, to avoid people (and search engine indexers) following the link unintentionally. Instead, just write “website dot org”.
    • Report the website to Google Safe Browsing, this might prevent other from falling into that trap
    • Contact the domain registrar’s abuse-address: domain registry services usually offer a dedicated contact address for abuse. You can find it out by doing a whois domain lookup, write an email email describing in detail why you think that a domain is being abused. Of course, don’t forget to include the domain, of course.

Take care everybody, and remember: always get greenshot from getgreenshot.org :)

ADVERTISEMENT