Just to show you that behind some PUPs there are threat actors that are too lazy to be bothered, we offer you a fake online scanner that was used to promote the infamous MacKeeper and a Windows system optimizer called Advance-System-Care.
WindowsThe redirect scheme on a Windows machine looked like this.
From a compromised website we were re-directed to systemcheck[.]club where we got this popup:
Clicking “OK” offered to start an online scan -
-which claimed to find a HIGH risk virus:
Thankfully these helpful people knew just the tool to remove this virus from our PC and brought us to www[.]advancepctools[.]info:
Here we installed Advance-System-Care which did not find the virus, but nevertheless had some very important tips on how to improve the system’s performance.
Pro tip: that phone number will not work as there is a format error in it.That Advance-System-Care did not find the alleged virus is not surprising as Tapsnake is an Android infection that doesn't work on Windows machines.
One other thing that did puzzle me, was that I also got this prompt while visiting the systemcheck[.]club site:
A Windows Internet Explorer prompt letting me know that: “VIRUS FOUND. It is necessary repair your Mac. Please do not leave the page. Click OK to begin the repair process.”But when I showed this to our Mac researchers they had a very plausible explanation for this. Exactly the same fake scan is used to push MacKeeper on Mac systems.
MacMy colleague @thomasareed recorded the proceedings on a Mac system, leading to the install of MacKeeper:
https://www.youtube.com/watch?v=BjUhGJFnrwY As you can see the scan and the scan-results are exactly the same. Only MacKeeper is consistent by finding the same threat (Tapsnake) on the system.
ConclusionAlthough this setup seems to be designed for Mac users, it must have been considered a waste to not do anything with the Windows users that got sucked in. So a redirect was designed to provide a PUP system optimizer for these users.
Detection and protectionThe site hosting the fake scanner and all the next steps in the redirection chain are blocked by Malwarebytes Premium Web Protection module.
The installer for Advance-System-Care is detected as PUP.Optional.AdvanceSystemCare
Malwarebytes removes Advance-System-Care completely. A removal guide for Advance-System-Care can be found on our forums.