Keep Calm and Use the Best Protection!

We offer Computer tuneups for your slow PCs

Don't put up with poor performance, let our techs make your PC much faster and more stable.

Learn About Tuneups
Cameron CampWant to access the music tracks of videos on your iPod but don’t want to pay? You’re not alone. Recently, a crop of websites have popped up offering to convert the audio from videos to .mp3 files that you can then download at no charge. Sounds great, right? The catch: scammers are trying to capture the popular click traffic and redirect users to scam websites, where you might get more than you bargained for, in the form of free malware and other unpleasantness as a bonus. Recently, we hosted a “cyber boot camp”, teaching high school students to attack and defend networks. One of our presenters, John Moffat, who often delivers security awareness seminars to teenagers and stresses the dangers of the “free” internet, referenced this scam in his presentation. While Mr. Moffat doesn’t claim to be a malware expert, he knows a scam when he sees one, and does his best to help others avoid falling prey. So what happens if you fall for one of these types of scams? Below we follow the trail of one example, with screenshots of what you might see. In this example, I clicked on a highly ranked Google search results link, which pointed to a YouTube video itself, purporting to give instructions on how to convert their videos to .mp3’s. When I did, it showed a non-video screenshot inside their video player, which directed me to visit a website directly. The video description came completely stuffed with keywords in the description to inflate rankings. Here’s a screenshot of what I was presented with:
youtube mp3 converter - complete with malware
and then a screen that showed the locked download file, which I would then have to unlock
mp3 converter download
I chose the Best Buy gift card offer. When I clicked on it, it took me to a page that shows that I could get a $1,000 gift card, even better!
best buy doyoushop
I also noticed that the page wanted to use extensive javascript and third party content, triggering an ESET Smart Security warning that a website was blocked which was trying to send me tracking cookies. I also notice the site used significant bandwidth trying to load all its goodies, presumably to enable the successful completion of my 3 questions to get the $1,000 gift card right? But surprise, after I completed the last question, I then had to enter my email, presumably to get the gift card. When I entered a fake email, I was then taken to a screen where I had to enter much more personal information, including my physical address, age, sex, and phone number. I also had to consent to being called by third parties about magazine subscriptions, etc:
best buy giftcard email
Once you click ‘continue’ you get the next screen:
best buy gift card address
At this point, I notice that the original password that was promised to unlock my video converter download never materialized. It seemed clear that this rabbit trail I was following would not likely end any time soon, so I exited the websites, and finished up this article, hoping this accounting of what happens if you take the bait would dissuade others from falling for similar scams. What’s the payoff for scammers? For some time now they have continually adapted their scam platforms to match new potential streams of traffic, and this is no exception. By gaining high search rankings through BlackHat SEO (BHSEO), every time a user clicks, their search popularity rankings, and associated ad revenue, goes up. Even if the user doesn’t fall for installing a “free premium .mp3 player” (laden with malware) or some such because they’re the “lucky one thousandthviewer” of the website, the scam website still makes money by cashing in on the traffic. And many users might be convinced to download a premium, java-based player, with free malware as a bonus. But to recount, this scam (so far) has attempted to send things that were blocked by ESET Smart Security, wanted to silently run questionable javascript on multiple pages, harvest my email address, along with physical address, age, sex, phone number, and get me to signify that I was over 18 years of age, and consent to the whole process. That doesn’t sound very close to free, it sounds like the beginning of a long string of nastiness. At that point, I went to my favorite reputable .mp3 vendor and purchased a great blues track from yesteryear for 99 cents, and decided to forego the personal information harvest “for free.”