WordPress Ad-Fraud Plugins and the Scallywag Operation

Recently, cybersecurity firm HUMAN has uncovered a massive ad fraud operation known as “Scallywag”. This scheme used specially crafted WordPress plugins to hijack traffic from pirating and URL shortening sites, generating up to 1.4 billion fake ad requests per day at its peak.

The operation relied on a vast network of 407 domains, which were mapped out during the investigation. While Scallywag’s activity has since dropped by 95% thanks to aggressive blocking and takedown efforts, the threat actors behind it are proving annoyingly persistent. They are rotating domains and shifting to new monetization tactics, like digital cockroaches refusing to die.

Operation Details

Scallywag operates as a “fraud-as-a-service” model, utilizing specific WordPress extensions to monetize digital piracy and URL-shortening services. The WordPress plugins involved in the operation include Soralink, which is claimed to have been created in 2016, Yu Idea, with documentation dating back to 2017, WPSafeLink, reportedly developed in 2020, and Droplink, which appeared in 2022 and was distributed for free through various cashout blogs.

These plugins facilitate the insertion of intermediary pages loaded with ads, deceptive buttons, and artifacts, often requiring users to navigate through CAPTCHAs or wait times to access promised content. This method maximizes ad impressions and revenue, particularly from piracy catalog sites and URL shorteners, which are typically shunned by legitimate advertisers due to legal and brand safety risks.

The operation employs cloaking techniques, where direct visits from advertisers show benign blog content, while traffic from piracy or URL-shortening domains triggers ad-heavy pages. Additionally, open redirectors, such as those from Google or X, are used to sanitize referrer data, obscuring the fraudulent nature of the traffic.

Scale and Impact

As said above, at its peak in early 2024, Scallywag accounted for 1.4 billion fraudulent bid requests daily. The operation’s network spanned 407 cashout domains, with detailed lists available as of February 2025. Detecting Scallywag involves analyzing traffic patterns, such as high ad impression volumes, cloaking behavior, forced wait times, and CAPTCHA usage. The operation’s use of deep linking to decloak content and open redirects complicates attribution.

The monetization strategy involves selling access to these WordPress extensions, empowering independent cybercriminals to launch their own ad fraud campaigns. Some threat actors have even shared instructional videos on YouTube, coaching others on maximizing the use of Scallywag extensions, further amplifying the operation’s reach.

After traffic analysis and domain blocking, have led to a 95% reduction in Scallywag’s traffic from its peak, dropping daily ad fraud requests to nearly zero. However, the threat actors also have shown resilience, adapting by rotating domains and introducing new cashout sites to evade mitigations. Some have pivoted to content discovery networks, indicating ongoing evolution in their tactics.

How to Protect Against Fraudulent Sites?

To avoid such sites and malicious ads, you just need to do the following two rules. First and most importantly, avoid visiting pirate sites. Apart from the fact that in most cases it can cause legal problems, as we can see, it is also a source of all sorts of threats, from advertising questionable things to spreading malware. If you doubt the reliability of a website, you can use our free Website Reputation Checker to quickly check the reliability of a website.

The second fundamental recommendation is to use anti-malware software. I recommend GridinSoft Anti-Malware because it contains an Internet Security module that blocks potentially dangerous sites. Of course, this does not cancel the previous point and does not give you permission to browser dubious sites. Rather, this item complements the previous one by ensuring that in case of an unintentional visit to a malicious site, this solution will notify the user of the potential risk and block access to the site.

The post WordPress Ad-Fraud Plugins and the Scallywag Operation appeared first on Gridinsoft Blog.

“Your iPhone Has Been Hacked” Overview

“Your iPhone Has Been Hacked” is a deceptive online scam designed to manipulate users into believing their devices have been compromised. The scam relies on fear-mongering tactics, displaying alarming messages that falsely claim an iPhone has been hacked and is under surveillance by cybercriminals.

The website that displays the alarm pretends to be some sort of antivirus scan service. The background and displayed threats may differ from one case to another, yet the overall structure remains the same. It’s pretty common scheme, that continuously circulates on the internet. This makes me believe that the campaign is run by a more or less homogenous group of scammers.

In reality, no website can perform such an analysis, making these warnings completely fraudulent. The primary goal of this scam is to trick users into following the instructions issued by fraudsters. They typically lead to installing untrusted software, often disguised as security tools or system cleaners.

Such apps typically do nothing but send obscene amounts of notifications and ask the user to pay “to fix the issues/remove the viruses”. No malware is in fact present on the device, and all these notifications are nothing but attempts to scare the user.

How does it work?

The scam operates by leveraging malicious advertising networks and social engineering. When a user visits a webpage involved in this scheme, they are immediately presented with a pop-up message claiming their iPhone has been hacked.

The pop-up often urges immediate action, such as downloading a specific security tool or calling a fake support number. This psychological pressure tactic is designed to make emotional users act impulsively.

Once users close the pop-up, the scheme doesn’t stop. They may be redirected to additional fraudulent pages that promote fake antivirus software (for iPhone???), and other potentially unwanted applications (PUAs). If the user agrees and installs the app, it starts creating annoyances, bombarding users with intrusive ads and tracking their browsing habits.

Some types of unwanted software on iPhones take advantage of the device’s calendar system to flood users with intrusive event notifications. The app request access to the calendar under the guise of a useful feature, such as reminders or event planning. Once granted permission, it populates the calendar with numerous events that generate intrusive notifications. These notifications often contain ads, fake virus alerts, or prompts to click on suspicious links.

Another technique does not rely on traditional app installations but instead abuses iOS’s built-in calendar subscription feature. When a user interacts with a malicious website — often through pop-ups, or fake CAPTCHA — the site prompts an automatic subscription to a rogue calendar feed. This method does not require explicit user consent in the form of an installation or permission request.

Once subscribed, the user’s calendar fills up with numerous scheduled events, each containing misleading notifications. These events frequently include phishing links, fake security warnings, urging users to click on them. Because iOS treats these calendar events as legitimate, they persist even after being dismissed. Additionally, since calendar events support dynamic updates, new spam entries continuously appear as long as the malicious subscription remains active.

This technique is effective because it exploits user behavior rather than a direct software vulnerability. iOS allows users to add third-party calendar subscriptions without displaying prominent warnings, making it easy for attackers to abuse this feature.

How To Avoid This Scam?

As a rule, users often fall victim to this scam by visiting unreliable websites, clicking on deceptive advertisements. Intrusive online advertisements can also serve as a gateway to these scams. Many seem legitimate at first glance but redirect users to fraudulent websites that push unwanted software.

To avoid such scams, users should be cautious when encountering alarming security alerts online and remember that no website can detect malware or hacking activity on a device. Using an ad blocker and keeping software updated can help mitigate exposure to such threats.

If a user subscribes to such a calendar, he must manually unsubscribe from the rogue calendar under Settings > Calendar > Accounts and ensure they do not interact with any links within the spam notifications.

The post Your iPhone Has Been Hacked appeared first on Gridinsoft Blog.

Kissanime Safety Analysis: The Verdict

Our security analysis conclusively determines that Kissanime is unsafe and should be avoided by anyone seeking anime content online. Despite its attractive offering of free, diverse anime content without subscription requirements, the site exhibits multiple high-risk behaviors that pose significant threats to users’ cybersecurity and privacy.

Our assessment is supported by multiple technical analyses, extensive user reports across forums like Reddit, and verification through website security services. Let’s examine each risk factor in detail to understand the full scope of threats this platform presents.

Dangerous Advertising Ecosystem

Predatory Ad Content

The most immediately visible security threat on Kissanime is its aggressive implementation of malicious advertising. Unlike legitimate sites that employ standard advertising networks, Kissanime’s ad ecosystem displays hallmarks of deliberately harmful implementation:

• High-risk ad categories: Predominance of adult content, unregulated gambling operations, misleading “free” games, and fraudulent dating services
• Geographic targeting: Ads dynamically change based on user location to maximize relevance for scam potential
• Intentional misplacement: Deceptive positioning of ads to resemble navigation elements or video players, tricking users into clicking
• Circumvention techniques: Implementation of methods specifically designed to bypass standard ad blockers

These advertisements aren’t merely annoying—they serve as entry points to sophisticated scam operations. Many redirect to phishing pages designed to capture credit card information, install malware, or trick users into paying for fraudulent services.

Data Harvesting Operations

Beyond visible ads, our technical analysis uncovered extensive data collection scripts operating in the background on Kissanime. These scripts engage in what security professionals call “traffic cloaking”—a technique that harvests user data without consent while obscuring this activity from detection.

The collected data typically includes:

• Browsing patterns and history
• Device information and identifiers
• IP addresses and geolocation data
• Browser fingerprinting data
• Cross-site tracking identifiers

This information is then aggregated and sold to data brokers, who further distribute it to questionable third parties without user knowledge or consent. This practice represents a serious privacy violation and increases users’ vulnerability to targeted scams.

Forced Redirections and Social Engineering

Perhaps the most dangerous aspect of Kissanime is its aggressive implementation of forced browser redirections. Our testing revealed that normal navigation actions (clicking on content, menu items, or even empty space) frequently trigger the opening of new browser tabs containing highly deceptive content.

Common Malicious Redirect Tactics

Through repeated testing, we identified several patterns in these forced redirections:

1. Fake video player overlays that mimic legitimate streaming interfaces but contain hidden redirect triggers
2. False update notifications claiming users need a “special player” or codec to view content
3. Counterfeit human verification systems that request users to complete tasks to “prove they’re human”
4. QR code scanning requirements that lead to malware distribution sites
5. Browser extension installation prompts for supposed “required viewing tools”

These tactics employ social engineering principles to manipulate users into performing actions that compromise their security. Particularly concerning are the fake human verification systems that have become increasingly sophisticated and convincing.

Domain-Hopping and Identity Theft

Another significant red flag in our security assessment is Kissanime’s frequent domain changes and name appropriation practices. Unlike legitimate services that maintain stable web addresses, Kissanime operates across multiple rapidly-changing domains—a classic evasion tactic used by malicious websites to circumvent blocking and takedowns.

Documented Domain Variations

Our monitoring has identified numerous domain variations used by this operation in recent years:

• kissanime.help
• kissanimes.net
• kissanime.com.ru
• kissanime.com
• kissanime.com.tr
• kiss-anime.net
• kiss-anime.ws

This constant domain shifting serves multiple malicious purposes:

• Evading website blocklists maintained by security companies
• Circumventing DMCA takedown actions for copyright infringement
• Escaping user-reported blocks on forums and social media
• Avoiding accumulation of negative reputation on any single domain

Brand Impersonation Tactics

Particularly concerning is the site’s deliberate impersonation of the original KissAnime service that operated legitimately in the early 2010s but has since shut down. This represents a form of brand theft designed to capitalize on the original site’s reputation and user trust.

Our investigation into the site’s history reveals that it previously operated under the GoGoAnime brand (as admitted in the website’s own footer), which itself had accumulated a negative security reputation. The operation simply rebranded to Kissanime to escape this reputation while benefiting from name recognition of a defunct legitimate service.

Reddit discussions from the anime community confirm that the original KissAnime service permanently ceased operations and has no connection to current sites using this name.

How to Verify Website Safety

To help users independently verify the safety of Kissanime or any questionable website, we recommend utilizing specialized website security checking tools before visiting potentially malicious domains.

GridinSoft Website Reputation Checker Results

When analyzing kissanimes.net using GridinSoft’s Website Reputation Checker, the results confirmed our security assessment. The service identified kissanimes.net as having poor reputation scores across multiple security vendors, with specific flags for:

• Malicious advertising implementation
• Suspicious redirect behaviors
• Potential malware distribution
• Privacy policy violations

This free tool provides a quick way to verify website safety before visiting potentially dangerous sites. Simply enter any suspicious URL into the Website Reputation Checker to receive a comprehensive safety assessment within seconds.

Protecting Yourself From Adware and Browser Hijackers

If you’ve already visited Kissanime or similar sites, you may have inadvertently exposed your system to various forms of malware, particularly adware and browser hijackers. These malicious programs can cause symptoms similar to what you’d experience on Kissanime itself:

• Unexpected browser redirections on legitimate websites
• Excessive popup advertisements
• New toolbars or extensions you don’t remember installing
• Changed browser homepage or search engine
• Slower than normal browser performance

Preventative Measures

To protect yourself from these threats, implement these security practices:

1. Use reputable ad-blocking extensions like uBlock Origin or AdGuard to prevent malicious advertising
2. Install script-blocking extensions such as NoScript or ScriptSafe to prevent unwanted code execution
3. Regularly audit browser extensions and remove any you don’t recognize or need
4. Maintain updated browsers to benefit from the latest security patches
5. Consider using a dedicated malware scanner to detect and remove browser threats

For comprehensive protection, we recommend GridinSoft Anti-Malware, which offers specialized detection for browser-based threats like those distributed through sites like Kissanime. Its network security module provides real-time protection against malicious websites and can clean existing infections that may have already compromised your system.

Safe Alternatives for Anime Streaming

Rather than risking your security with sites like Kissanime, consider these legitimate alternatives for anime content:

• Crunchyroll – Offers substantial free content with ads, plus premium subscriptions
• Funimation – Specializes in dubbed anime with both free and premium tiers
• Netflix – Increasingly expanding its anime catalog with exclusive titles
• Hulu – Features a growing selection of both classic and current anime
• Amazon Prime Video – Includes anime content within its standard subscription
• HiDive – Specialized anime streaming service at affordable price points

While these services typically require payment for full access, they provide legal, high-quality content without exposing users to security risks. Many offer free trials or ad-supported tiers that allow limited viewing without payment.

Frequently Asked Questions

The post Is Kissanime Safe? A Security Analysis (2025 Update) appeared first on Gridinsoft Blog.

uBlock Origin Gets Removed from Chrome Web Store

On October 13, 2024 the listing of uBlock Origin extension in Chrome Web Store got the additional line on top, saying that it will soon lose support “because it doesn’t follow best practices for Chrome extensions”. Translating from the bureaucratic language, Google may soon remove the plugin from the store, for reasons that are yet to be disclosed by the company. The link provided in the notice leads to a boilerplate page saying about removing extensions that do not follow the best practices on privacy and security. Also, attentive users have noticed this exact notification in the Extensions tab of the browsers almost two monts ago, back in August 2024.

uBlock Origin is among the most popular ad blocking plugins, with a user base of over 39 million. It has proven itself effective on the majority of websites, including YouTube. The latter has become a tough nut for some of the ad blockers after the recent changes to the site, and became one of the reasons why the plugin had experienced a massive influx of users.

And this capability, along with its overall high efficiency has probably become the reason why Google decided to kick it out of the Web Store. At least, this is what users suspect is a reason. The version looks especially trustworthy if we have a look at the company’s activities targeted at combating ad blocking on their platforms. This touches all browser extensions dedicated to making the ads disappear, not only uBlock Origin.

Google War Against Ad Blockers Is Unrolling

All the situation is likely a part of covert campaign that Google pulls out to fight ad blocking plugins. Sure, the restrictions on browser extensions, specifically on which website content and how they can work with, have quite significant reasoning behind it. Phishing browser plugins, that remain a rather widespread kind of in-browser malware, use the absence of such restrictions in Manifest v2 to collect user input from different elements on the website. Same element scanning and interaction, though with a different outcome, is used by ad blockers.

And that is where the main problem stems from. As Web Manifest v3 gets unrolled, Google will start removing or otherwise disrupting the functionality of quite a few anti-advertising browser extensions. Once again, this perfectly aligns with the company’s recent strategy on making ads impossible to remove, parcularly from one of their main advertising platforms – YouTube. It started detecting the active ad blocker plugin and displaying the corresponding message to the user, saying that only a few will be available to watch ads-free.

Main relief here is the fact that not all browsers are forced to comply with this new set of rules. Nonetheless, Google holds a monopoly on the web browser market, thus breaking key mechanics that allow ad blockers to work can and will impact the majority of Internet users. And that is what shakes the community so much.

In my personal opinion, online advertising is not a bad thing in its essence. Brands need to show themselves, and Google (along with other ad providers) let them do so. But the way these promotions are stuffed into the content does not boost the user experience. Even more so, considering massive amounts of ads from untrustworthy sites, and even outright scams appearing in Google Ads, disabling ad blockers will create a clear threat to user safety.

Can I Use uBlock Origin in the Future?

Sure enough, you can. Unless you have it installed in the browser, it will function just fine, as it receives updates independently from Chrome Web Store. But should you lose this plugin in any way (say, by resetting the browser or accidentally deleting it), it will be gone for good. Some may suggest getting an installer from a third party, but such manipulations are a risky idea at its very core, with huge possibilities for impersonation attacks and malware distribution.

There are alternatives though, that will keep functioning even after and even if uBlock gets deleted. uBlock Origin Lite, an extension from the same developer, is designed to comply with Manifest v3, and is still capable of stopping the ad storm. Still, its efficiency is significantly lower, with the main impact of changes being noticeable on how fast the plugin removes advertisements from pages. Also, there’s no guarantee that it will work fine with the main concern of quite a few people, YouTube.

A much less complicated way of solving the issue will be switching to a different web browser, the one which does not take Manifest v3 into account. Among the obvious choices are Firefox and Brave, as they are not even based off of Chromium core, meaning there are not ties to Google whatsoever. And the majority of browser extensions are present here, too, with the similarly convenient ways to install them.

The post uBlock Origin Plugin May Be Disabled, Google Warns appeared first on Gridinsoft Blog.

Sec-tl Pop-Up Notifications Overview

Push notifications from the Sec-tl series of websites is a fraudulent campaign that aims at earning money through pay-per-view ads. Con actors who stand behind it set these sites to send dozens of notifications each minute, each containing some promotion. It works by abusing legitimate browser functionality of push notifications, and the user is tricked into allowing these sites.

Typically, when users get to any of Sec-tl sites, they see a demand “to prove that you are not a robot”. To do this, the site asks to enable notifications. This, eventually, is where it all starts. You can open such a page dozens of times, and that will not impact you or your system unless you press the “Allow” button.

Domains involved in the scam

But let’s get one step backwards, to the way one can get to these websites. Similar to quite a few other similar scam campaigns, these sites gain visitors through redirections from other sites. I am not talking about regular external links – no, frauds rely on random redirects that happen as you click on any website element.

As far as my research shows, Sec-tl sites mainly get redirects from sites that offer pirated movies and TV series. In particular, there are two sites to stay away from – moviesnation[.]org and moviesearch[.]org.

By just going to the root domain, you will see either a 404 error or a hosting boilerplate message saying that the domain is for sale. All the fraudulent activity happens on a much deeper level, with several URL parameters generated during the redirect. And, as you can see from the list above, frauds use quite a few domains, meaning that each can target different countries or show different ads in notifications.

Are Sec-tl Push Notifications Dangerous?

Yes, they are. Aside from being just annoying, as any excessive advertising is, their contents are not filtered in any way. What’s more, scammers apparently cooperate with other frauds in that matter, so quite a lot of push notifications lead to a downloading page of some sketchy software, a shopping scam site, or else. There can also be promotions of gambling or betting sites, or low-trust dating platforms. All of the latter pose less danger than phishing or scams but can create headaches nonetheless.

It is also worth saying that these pop-ups pose no threat unless you click them, and consequently interact with the contents of the site. And it is tricky at times: images in notifications can contain a “cross”, suggesting you to click it to close the ad. Instead, as you had in fact clicked the main content of this promotion, this will throw you to a promoted website.

As for direct dangers for the system, they are not too high unless you have interacted with the ads. However, there are a lot of cases when an active adware was opening such notification spam pages, so the user should not even go to some dodgy websites to trigger a redirect. That’s why an anti-malware scan is a recommended step even after the manual removal of the pop-ups.

How to remove Sec-tl pop-up spam?

Since the main source of pop-ups is the permission to send notifications for a certain website, it is possible to remove it manually. To do this, go to your browser settings and type “Notification settings” in the search bar. I will show this on the example of Google Chrome, but the steps should be similar for the rest of browsers.

Disabling browser pop-ups (scroll images)

Then, it is time for the second step – anti-malware scan. As I said, there is a risk of unwanted pop-ups appearing as the result of adware activity. Removing it manually is a much, much more complicated task than removing permissions for notifications, so an automated scan will be more convenient. For this purpose, I recommend GridinSoft Anti-Malware.

Sec-tl Removal Guide

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Sec-tl Pop-Up Virus appeared first on Gridinsoft Blog.

First-tl Pop-Up Notifications Overview

Push notifications from First-tl series of websites is a fraudulent campaign that aims at earning money through pay-per-view ads. Con actors who stand behind it set these sites to send dozens of notifications each minute, each containing some promotion. It works by abusing legitimate browser functionality of push notifications, and the user is tricked into allowing these sites.

Typically, when users get to any of First-tl sites, they see a demand “to prove that you are not a robot”. To do this, the site asks to enable notifications. This, eventually, is where it all starts. You can open such a page literally dozens of times, and that will have no impact on you or your system unless you press the “Allow” button.

Domains involved in the scam

But let’s get one step backwards, to the way one can get to these websites. Similar to quite a few other similar scam campaigns, these sites gain visitors through redirections from other sites. I am not talking about regular external links – no, frauds rely on random redirects that happen as you click on any website element.

As far as my research shows, First-tl sites mainly get redirects from sites that offer pirated movies and TV series. In particular, there are two sites to stay away from – moviesnation[.]org and moviesearch[.]org.

By just going to the root domain, you will see either a 404 error or a hosting boilerplate message saying that the domain is for sale. All the fraudulent activity happens on a much deeper level, with several URL parameters generated during the redirect. And, as you can see from the list above, frauds use quite a few domains, meaning that each can target different countries or show different ads in notifications.

Are First-tl Push Notifications Dangerous?

Yes, they are. Aside from being just annoying, as any excessive advertising is, their contents are not filtered in any way. What’s more, scammers apparently cooperate with other frauds in that matter, so quite a lot of push notifications lead to a downloading page of some sketchy software, a shopping scam site, or else. There can also be promotions of gambling or betting sites, or low-trust dating platforms. All of the latter pose less danger than phishing or scams but can create headaches nonetheless.

It is also worth saying that these pop-ups pose no threat unless you click them, and consequently interact with the contents of the site. And it is tricky at times: images in notifications can contain a “cross”, suggesting you to click it to close the ad. Instead, as you had in fact clicked the main content of this promotion, this will throw you to a promoted website.

As for direct dangers for the system, they are not too high unless you have interacted with the ads. However, there are a lot of cases when an active adware was opening such notification spam pages, so the user should not even go to some dodgy websites to trigger a redirect. That’s why an anti-malware scan is a recommended step even after the manual removal of the pop-ups.

How to remove First-tl pop-up spam?

Since the main source of pop-ups is the permission to send notifications for a certain website, it is possible to remove it manually. To do this, go to your browser settings and type “Notification settings” in the search bar. I will show this on the example of Google Chrome, but the steps should be similar for the rest of browsers.

Disabling browser pop-ups (scroll images)

Then, it is time for the second step – anti-malware scan. As I said, there is a risk of unwanted pop-ups appearing as the result of adware activity. Removing it manually is a much, much more complicated task than removing permissions for notifications, so an automated scan will be more convenient. For this purpose, I recommend GridinSoft Anti-Malware.

First-tl Removal Guide

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post First-tl Pop-Up Virus appeared first on Gridinsoft Blog.

What are check-tl-version pop-up notifications?

Pop-up notifications from Check-tl-version sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an entire chain of such sites, created by the same group of cybercriminals and existing for the same purpose. Frauds who stand behind all this lure people into pressing the “Allow notifications” button that appears as soon as one enters the site. This demand may be framed as a form of captcha, DDoS protection, or the like.

List of domains involved in a scam

One particular source of the redirections to check-tl-version sites is by browsing sites with illegal or explicit content. Websites that host pirated movies or games, adult sites – clicking anything on such pages may trigger the redirection to the scam site that will ask you to allow notifications. That twisted form of cooperation is what makes me warn people against using such sources of software and movies.

Interesting thing about the pop-up spam sites is that they work only after the redirection. Simple checks show that opening the scam page requires a correct link. Visiting the root domain, without the additional parameters in the URL, will return either a 404 error or a boilerplate that says the URL is for sale.

How dangerous are Check-tl-version pop-ups?

Once the user allows notifications from one of the check-tl-version websites, it starts bombarding them with pop-ups. These notifications appear in the system tray, offering gambling, adult sites, or trying to scare the user by saying the system is infected. Clicking on a pop-up will send the user to a website with some rather questionable content. It is also pretty common to see phishing pages promoting in such a way, which forms the main concern of having this pop-up spam.

Another angle of the problem is the offer to install some questionable software to solve non-existent problems. You might encounter a so-called Microsoft tech support scam page or a site that pretends to scan your PC, falsely reporting that there are hundreds of malicious programs running at the moment. To make it harder for the user to quit, scammers make these sites open in a full-screen mode, so there is no visible way out. Of course, unless someone presses the Escape button.

But scams and phishing aside, the key issue with all this is the fact that constant pop-ups are extremely annoying. Because of the way Windows shows notifications, they will appear on top of any app that is currently running. It’s simply hard to concentrate on your task when you constantly hear and see banners popping up one after another. And, well, it will be quite an embarrassing moment when your boss walks by while there is a pop-up with hot girls around you on the screen.

How to remove Check-tl-version pop-ups?

It is possible to remove the pop-up source manually, through the browser interface. For this, go to your browser settings, find notification settings and remove all the sites that are listed as ones that can send notifications. Reload the browser to apply the changes.

Disabling browser pop-ups (scroll images)

There is also the second step – malware removal. It is possible that the check-tl-version pop-ups appearance is caused by the activity of adware or browser hijackers. These two malware types often cause redirections, and may alter web browser settings to their needs. For that reason, I recommend scanning the system with GridinSoft Anti-Malware: it will clear whether there is something malicious on your device, or not. Download it, install and run a Standard scan: this will check the places where the said malware typically keeps its files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Check-tl-ver Pop-Up Virus appeared first on Gridinsoft Blog.

Let’s figure out what this scam is, and how to stop Re-Captha-Version pop-ups.

What are Re-Captha-Version pop-up notifications?

Re-Captha-Version is a browser notification spam campaign that takes place on an eponymous website. An entire network of such sites has similar names and content. All of them aim at one thing – forcing users to allow notifications, under the guise of anti-robot captcha. This makes possible the main course of this scam – huge numbers of pop-ups that flood both the web browser and system notifications.

List of domains involved in the scam

Websites like Re-Captha-Version commonly appear after the redirection from another site, or following the click on the suspicious banner somewhere on the Web. If you try visiting such websites apart from the malicious redirections, they will likely return a white screen or various error messages. In some cases, they work, but the content is the same as the first time – just the offer to enable pop-up notifications.

But what for all this is running? Promotions that such websites show are extremely cheap, but their volume multiplied by the number of victims gives quite a substantial profit. Considering that these frauds will advertise other malicious actors, the profit may be smeared through several cybercriminal groups. And while there are ways to earn more, and in a legitimate way, pop-up spam campaigns are extremely easy to run. This is what causes these fraudulent sites to keep going.

How dangerous are Re-Captha-Version pop-up notifications?

Despite what they look like, pop-ups are a rather dangerous thing, especially when dozens of them appear in a short period. The main effect is distraction: pop-ups will keep appearing even after closing the browser. They clutter the notification tray, making it impossible to find the alerts you need.

But the key danger hides in the content of those promotions. Pages and offers they promote are not even remotely relevant. Moreover, the links these advertisements lead to are often just clickbait websites or outright phishing pages. The longer all this happens, the more likely for the user to accidentally click one and get into a sticky situation.

How to remove Re-Captha-Version?

Removing pop-ups from the browser involves two steps – disallowing sending notifications to all sites and scanning your system for threats. The first one is manual – you need to go to your browser settings, open the page with notification settings and delete all entries there. Then, reload your browser for the changes to take effect.

Disabling browser pop-ups (scroll images)

For the second step – scanning for threats – I recommend using GridinSoft Anti-Malware. Ads can lead to the installation of unwanted software. But aside from this, the appearance of Re-Captha-Version website may be the sign of adware activity. To ensure that your device is clean, run a Standard scan and let it finish – it won’t take long.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Re-Captha-Version Pop-Up Virus appeared first on Gridinsoft Blog.

What is malvertising in Google Search?

First, let’s check out key definitions, as they may be unfamiliar to some users. Malvertising is a shortening from “malicious advertising”, which says for itself pretty well. Ads in Google Search, on the other hand, are trusted, as they carry the name of the biggest search engine. Days before, they proved to have a robust check-up mechanism that weeded out potentially harmful things from search results. Things have changed around the last few months, exactly, in November 2022. Malicious ads that tried to mimic downloading pages of legitimate tools filled the search results, often dumping the genuine page to the 4-5th position in results.

As Microsoft tightens loose ends and macro-based malware droppers become more difficult for Threat Actors to leverage – data traffickers are increasingly abusing SEO poisoning and/or malvertising.

Intel via @malwrhunterteam & @wdormann pic.twitter.com/iKy7yEN3g2

— vx-underground (@vxunderground) January 18, 2023

These links generally try to fake not only the header of a page but also the URL address. They include the name of a program, and a couple of keywords to look legitimate. Words may be added through a dash symbol, or as a second-level domain. The top-level domain, meanwhile, is usually something cheap, like .click or .top. Such TLDs cost around a dollar, and usually require no documents to register. More expensive domains, like a classic .com, may be used as well, so don’t accept them as a quality mark.

Some fake advertisements may include a so-called domain cloaking. The starting URL will be 100% legitimate, like youtube.com or twitter.com. Once you click, a cloaking mechanism will trigger, and throw you to a site that is completely different from the one you were seeing in the URL bar. This approach is more about tricking people into calling fake support or installing “a recommended security tool”.

Generally, malicious ads appear on search queries related to popular free programs. By now I found malicious ads for the following programs and software packages:

• Blender
• VLC Player
• Oracle VM VirtualBox
• Notepad ++
• LibreOffice
• Capcut
• OBS Studio
• CCleaner
• WinRAR
• Rufus
• Adobe products
• Zoom Video
• AMD and nVidia drivers
• Python libraries

Why do they appear?

First and foremost reason for the appearance of these ads is poor control of advertising content by Google. Sure, the company is not a vice squad, and should not retain the utterly high quality of advertising. But it is subpar for the image of such a company to allow purely fake ads to be posted, especially at top search result positions. Some time before, the same “pandemic” happened on YouTube. Massive amounts of copy-paste scam charity fund advertisements, giveaways, fake promotions of a new iPhone/Samsung with 80% discount – they were not just of low quality or unconvincing. All these things point to some serious problems within Google’s team that is in order for reviewing advertisements to post.

Another side of the coin is scoundrels who actually organise this mess. Most of the time, events of this sort are aimed at spreading malware. The more such methods are available, the more sustainable the hackers’ “business”. At the edge of 2022, Microsoft finally banned the execution of macros that come from the Internet. Macros are MS Office applets that allow dynamically-updated content to the documents. The breaches in the mechanism used to handle them are so easy to exploit that hackers were using it massively to drop the malware payload. After that ban, crooks started searching for another remedy for their shady deeds. And Google Search ads happened on their way.

Is Google Search malvertising dangerous?

Google has immense user coverage. With over 8 billion queries a day, it makes search results probably one of the biggest advertising networks under the sun. One malicious ad may be seen by millions, and thousands will click it. When there are at least 10 topics that contain malicious Google ads – things go worse by orders of magnitude.

Last night my entire digital livelihood was violated.

Every account connected to me both personally and professionally was hacked and used to hurt others.

Less importantly, I lost a life changing amount of my net worth

— Alex Finn (@AlexFinn) January 15, 2023

Above you may see a sad story of a Twitter user with the nickname NFT God, who got some serious damage after being baited to download OBS Studio via such a fake link.

As research shows, most of the time malware that is delivered after following that link aims at stealing data. The file you are offered to download is not malware itself, it is a malignant script whose sole purpose is to contact the C&C server. It, in turn, sends malware to your device, using a connection that the script has established. Spyware that arrives in such a way will give no chance to your privacy. Ransomware is yet another malware type that may arrive through such an approach.

Other possible instances of Google Search malvertising contain tech support scam offers. That is the case when a group of rascals imposes legit tech support. They usually take the name of Microsoft, and the banners usually contain “urgent security note from Microsoft”. Such a note says your PC is either blocked or flooded with malware, and you need to contact their “support” urgently. The number posted on the banner leads you to a scam tech support that will force you to either give remote access to your PC or install a questionable program “to clean the system”.

How to protect me from Google Search malvertising?

Google used to pay a lot of attention to its ads. Possibly, it just has some problems with retaining concentration, thus the problem will be fixed pretty quickly. But it is always better to hope for the best and be ready for the worst.

• Avoid advertisements in Google Search. Even if you see them having a link to a legit site, it is not always representative of where it will send you. When the top search results consist generally of ads, scroll down to find the links to genuine pages.
• Use a different search engine. Being the biggest search engine does not always mean having outstanding search results. Some people prefer DuckDuckGo because of its claims about being free of tracking and telemetry. However, it may fit the case of fishy ads in Google Search as well. You are free to try any of the ones present on the market.
• Apply using decent anti-malware software. Only by having a tool that can effectively say if the file you’ve got from the Internet is clear or malicious will you be sure about your actions. Having one which is able to block access to malicious sites will seriously mitigate the problem. GridinSoft Anti-Malware is the one that can fulfill both needs – malware detection and network security. Constant database updates allow it to retain efficiency even against the latest threats.

The post Google Search Malvertising: Fake Ads of Free Programs in Google Ads appeared first on Gridinsoft Blog.

A historic legal event took place when, after accusations of unlawful discrimination put in the design of the targeted advertising system employed by Meta, the company agreed to cease using the tool and pay the penalty of around $115,000.

The source of the news is the June 21 official statement of the U.S. Department of Justice.

The Department of Housing and Urban Development (HUD) has investigated discrimination in Meta ad-serving software. The official charge (of discrimination) issued by HUD on On March 28, 2019 was a nudge to start the disputed lawsuit. The fact is that in order to select the audience for advertisements for the sale and rental of housing, the Meta ad distribution system employs the criteria mentioned in the Civil Rights Act of 1968, namely its eighth and ninth parts, also known as Fair Housing Act. This law states that the sale or rental of housing must not involve discrimination on the part of the property owner, and this applies to both the transactions themselves and the advertising that precedes them. Advertising must not discriminate against the audience based on race, sex, gender, religion, sexual orientation, etc. The prosecution argues that this is exactly what happens when the ad targeting system, based on the data mentioned, does not allow part of the audience to see some ads at all. At the same time, people are not even aware of such filtering.

Significantly, this is the first time the law has been applied to digital advertising and digital targeting mechanisms. The U.S. Department of Justice noted that the Meta agreed to develop a new tool under the supervision of the DoJ. The new product must exclude discrimination and be built on other filtering criteria. The U.S. Attorney for the Southern District of New York, Damian Williams, said that if Meta continues to use discriminatory technologies, the civil rights lawsuit will not be dismissed and litigation will continue.

For the time being, Meta has a settlement of the lawsuit and seven months (until December 31) to come up with the revised ad-targeting tool. Otherwise, the corporation would have to stand before a federal court.

The post Meta to Give up its Discriminating Ad-Targeting System appeared first on Gridinsoft Blog.

Five years back a poll was carried out and results shows security-conscious browser users overwhelmingly voted Firefox as the most secure. But during the annual Pwn2own hacking contest in March 2014, Firefox was exploited four times with zero-day attacks, making it one of the least secure browsers.

To complicate matters further, a 2013 comparative analysis of five popular Web browsers by NSS Labs found that Internet Explorer outperformed its competitors. Even so, the NSS Labs research showed that no single browser uniformly protected users against the majority of security threats and privacy risks.

If no single browser is bulletproof, the next best thing is to make sure your favorite browser is as secure as possible. Here are some ways you can enhance the security of your browser and be hackproof:

1. Configure your browser’s security and privacy settings

Review your browser’s privacy and security settings to make sure you’re comfortable with what’s checked or unchecked. For example, look to see if your browser is blocking third-party cookies, which can enable advertisers to track your online activities.

For specific browser security and privacy settings, read the recommendations and steps outlined in the Department of Homeland Security’s “Securing Your Web Browser”. The guide also explains browser features and their associated risks, such as ActiveX, Java, certain plug-ins, cookies, and JavaScript.



2. Keep your browser updated

Frequently, browser updates are released to plug recently discovered security holes. So it’s important to always keep any browsers you use updated.

3. Sign up for alerts

Consider setting up Google alerts for your browser to stay current on any emerging security issues. If you use Internet Explorer, for example, create a Google Alert using the keywords Internet Explorer security, or something similar. You can opt to receive instant, daily or weekly alerts whenever news articles or other content relevant to that topic hits the Web.



4. Be cautious when installing plug-ins

Plug-ins and extensions can sometimes put you at risk. For instance, earlier this year, it was discovered that some Chrome extensions can change service or ownership without notification to users. As a result, Chrome’s regulations for extensions is changing this June to keep extensions from becoming anything other than “simple and single-purpose in nature,” according to Google.

5. Make sure you have an AV installed

Potentially unwanted programs (PUPs) can slip past when you install any sort of software. These little buggers can switch browsers on you without warning and you might never even notice. Keeping a reputable antivirus program like GridinSoft Anti-Malware installed is one of the best ways to keep PUP from hijacking your browser and ruining your day.



6. Install security plug-ins

The majority of plug-ins and extensions are safe, however, and some can help bolster your browser’s security. Here are three suggested—and free—browser extensions for added security.

• HTTPS Everywhere

The Electronic Frontier Foundation and The Tor Project jointly developed this Firefox, Chrome, and Opera extension. HTTPS is a communications protocol for securing communications over a computer network, vs. the standard HTTP protocol, which is more widely used but less secure. (The ‘S’ in HTTPS stands for ‘secure.’) HTTPS Everywhere encrypts communication with many major websites to help secure your browsing experience.

• LongURL.org

If you’re on Twitter or Facebook and you see a shortened link embedded in an interesting post, you might click it without a second thought. But shortened links have been known to mask malicious links. If you’re unsure of a shortened link, copy and paste it into the search box at LongURL.org. You’ll see where the link would take you, without having to actually click through to the site. LongURL.org is also available as a Firefox browser extension.

• Use Internet Protection from GridinSoft Anti-Malware

Internet Protection feature blocks all suspicious sites in your browser. Also, it’s prevents downloading of dangerous applications.

The post How can you enhance the security of your browser? appeared first on Gridinsoft Blog.

Alas!

The browser starts to act stupid, redirecting and taking you places filled with creepy adverts or worse yet, issuing warnings of possible harm if you don’t “Update Your Flash Player.” And while the naïve would likely fall for the trap, smart and tech-savvy individuals may automatically note the adware running in the background. But as ubiquitous as the phenomenon is, adware attacks are a discreet way cyber criminals are using to make money off the unsuspecting.

Though it is probably the most popular way of telling that you are under attack, there are other subtle and perhaps less ferocious cyber attacks. There’s a form of adware gradually going mainstream. Besides redirecting, the virus goes ahead and alters your default search engine to something weird.

You start your PC, ready to browse the web, but once you key in whatever you need to search the web, you are redirected to a page with bizarre search results. It happens often and hurts the unsuspecting!

Pop-ads are yet another sign your computer is under an immense adware attack.

Simple as they appear, these pop-ads can be a source of immense misery, hurt your typical browsing habits and perhaps steal valuable data as you browse.

Many other times, these malicious occurrences make the PC act slower than it normally does, including lowering the average browsing speed and how the computer executes simple tasks. Of course, the phenomenon becomes more suspicious when you note the occurrence yet your PC doesn’t have a heavy program running or when you’re connected to a fast internet.

How Adware Works

Generally, these malicious tools are embedded into ‘free-ware’ or pirated software and act as part of a bundle of payment to the proprietor of the freely downloaded software.

Adware is simple software that comes with integrated advertising materials, including those that trigger redirects and pop-ups.

Mostly, the adware is activated whenever the tool that it is embedded in runs and the PC is connected to the internet.

At the moment, many software developers offer their products as “sponsored software” so that the ad pays for the free services provided. It is a pretty common type of adware and may continue until the user pays to register and thus unlock the ad off the software.

Regardless of how they work, these malicious attacks are very much annoying. Pop-ads waste a lot of time, while redirects and the slowing down of the PC hurt the ordinary performance of the computer. Aside from these, adware can set the stage for various other attacks, including spyware, ransomware and virus attacks.

How to avoid Adware

Tip #1 Never click any suspicious-looking pop-up windows and ads
Tip #2 Don’t answer or reply unsolicited emails and messages
Tip #3 Exercise utmost caution when downloading free software applications

Above all, invest in the best malware removal software. GridinSoft Anti-Malware does a great job!

The post Adware Everywhere: Who Knows What Is Happening? appeared first on Gridinsoft Blog.