Malware Analysis

Misleading advertising

Today we are going to be talking about advertising, specifically misleading advertising. Whether it’s on TV or on the internet, in magazines and newspapers, we see misleading advertising all of the time, you see it all of the time, whether you realize it or not. So how do you spot it? Well, that is one of the things we are going to cover here. Once you know what to look for, you’ll be able to spot it yourself, in most cases without having to look any further than the image in the advert.

Our first example of misleading advertising is an advert promoting a “Free Scan”, but failing to mention it is only the scan that is free. In fact, you have to pay before it will fix anything it claims needs fixing. It should also be noted that in the vast majority of cases, most “problems” found are not problems at all. Registry cleaning software are very fond of using this tactic to promote their products, as are so-called “system cleaners” such as SpeedUpMyPC.

imgSpeedUpMyPCAnother example is an advert claiming a company’s service is “Only £17.50 per month”, and fails to point out the tiny print on the ad that requires a minimum of 18-24 month contracts. The advertisement companies know you are highly unlikely to see the tiny print. In addition, by employing the use of white and non-bold text, they make it as hard to see as possible.

Indeed, a current Carphone Warehouse advert on TV offered a free “Galaxy tablet”. The catch is once again in the small print, requiring a 24-month contract, and whilst it tells you it comes with 100MB data per month, it does not tell you, you’ll be highly likely to use that 100MB of data within 1-2 days if using sites like Facebook for anything more than the most basic of postings. You’ll definitely use it within 1-2 days if you try doing the usual browsing across various websites (most sites require and use, very little data, with an average of less than 100K, depending on the type of site, but they quickly add up).

You’ll also see these misleading sites and adverts online every day. Whether it’s a misleading download advert or a site pushing you to send an SMS. The advertisers know you either won’t, or likely won’t be able (without zooming in), to read the small print at the bottom of the page, that actually informs you you’re signing up to recurring billing or paying immense interest or even that your information is being sold to a third-party.

Our next target is so-called “free software”.  Don’t get me wrong, open source software that is also free is fantastic.  However, the kind of software you download from high traffic download websites like ‘’ tend to make revenue by advertising.  This advertising might come in a form you are familiar with like a pop-up or banner ad.  However what you need to watch out for is the software that have something a little more coming with them , and you’re highly likely to miss the fact it is  included with your software – those lovely and infamous toolbars.

Take this for example, an advert for iLivid has 2 basic images embedded in it – “Download”, and “Play Now”.
What this advert does not tell you is:

What you’re downloading

“Play Now”, isn’t “Play Now” – there’s a download required that isn’t required at all and what you’re actually downloading is a download manager. A download manager that comes bundled with so much rubbish that your computer is going to hate you.

It gets worse however, when you click the advert, as you’re then presented with:
This does tell you it’s an image from iLivid but what it doesn’t tell you is that the image that looks like a Windows dialog box, is actually just an image. So there’s no “click anywhere else to get rid of it”, or “cancel, I didn’t want this” and to make things  worse, you’re also going to get both a toolbar that’s completely unnecessary and your homepage is going to be changed to or one of their other sites (depending on the installer used). Worse still, the installer also comes with yet more rubbish bundled (tested it myself before writing this), “Torch” (which in fact, is just a re-branded Google Chrome) for example (and Google, Ask et al are guilty of this too – seen Adobe or Java installers recently?). Not only will Torch be installed, but the installer will also set Torch as your default browser. Additionally, the installer drops two icons on the desktop:

“Get the best Facebook chat messenger”

In reality, this is a link to with the iLivid affiliate ID – you DO NOT need this to chat in Facebook, as those of you that use Facebook chat, will already know, and you don’t want it either

“Play Free Games”

In reality, this is a link to yet another installer, for yet more bundled rubbish, this time, from Koyote Inc, for his or her “FantastiGames” (aka Free Ride Games). These “Free” games however are not free at all and you will quickly realize that  the games are 100% adware. Adware is also something you DO NOT want on your computer and neither do your ears if you have sound enabled on your computer, as they are multimedia ads with full sound and flashy images. Finally, this installer adds yet MORE icons to the desktop – 6 of them in fact, and none of them you actually want or need.

Can you prevent this?

Of course you can. Do you always take notice of every page of an installer? My bet is you don’t, and that’s also what most participating companies are betting on, because if you don’t take notice of the small print, then you’re definitely not going to bother reading those lovely End User License Agreements.

Whilst iLivid have cleaned up their act over the past 12 months (the inclusion of the “iLivid” name on the  Download/Play Now advert was one of my requirements to remove their sites from the hpHosts blacklist) the additional installations of toolbars, browsers and rubbish software they spread are still elements of misleading behavior. I have been trying to contact them about for over 6 weeks now about these issues. It’s worth noting however, that iLivid, believe it or not, are actually one of the more responsible companies when it comes to advertising – hard to believe given they like many others, employ misleading tactics such as the above. Take for example, an advert recently found on Embed Upload:
See what’s wrong here? Well first and foremost, we’ve got the familiar “Download” and “Play” images embedded in the advert, but this one, doesn’t tell you who the advert is from, nor what you’re downloading. In actuality, you’re taken here (note: is currently parked at the time of writing this):


And it’s worth noting, Yield Manager features quite a lot in misleading adverts (but once again, are actually one of the better ad networks when it comes to misleading adverts – there are networks far, far worse).

I’ll not go into details, but needless to say, this comes with yet more bundled rubbish that you don’t want anywhere near your computer. Then there are these, found on amongst other places – see anything that tells you who the adverts are for, or what they are for?

Perhaps the link href for the advert at the top will tip you off:



->>> hxxp://

Yep, these ads are for iLivid (and don’t worry, I’m already talking them another email about this).

There are also sites such as, which have had several rather major issues as far as misleading marketing/advertising is concerned (and these are before we get to the extreme scare tactics they use in the software itself!). The following URL for example, which was routed by an advert on Cnet:

  1. Misleading and unethical tactics such as the use of “*Limited time offer – Ends on [date]” – you will notice of course, the date this allegedly ends, is the day you are visiting – you noticed that, yes?
  2. Misleading use of “Tested spyware free on [date]” – again you’ll notice, the date listed next to it, is the day you visited the site. Seeing a pattern yet? Of course – these dates are generated automatically, so it will always say the same day you are on the site.
  3. Misleading use of “Download Malware Removal Tool” – failing miserably, to mention it is not free, but a demo.
  4. Misleading and highly unethical use of images from other websites, in their profile pictures, such as the one seen in the above screenshot.

There are however, even worse players, and these do not just use traditional advertising, but also send lots and lots of spam that impersonate other businesses/sites or push links to fraudulent sites or those that go one-step further and compromise other websites. The following site for example, was compromised (I dropped a note at the time of detection, to the host and registrar, who had it cleaned up, and the owner was notified to get it secured) and had hundreds of folders placed onto it:


It also had a ton of files placed onto it, most just a redirect to the criminals’ websites, but one particular file was a shell that allowed the criminal to upload/delete/modify files on the site. Thanks to the host (HostGator), the site has had the malicious content removed and they are trying to contact the customer to get the domain secured.

In the case of this site, all roads led to one particular campaign known as “Online Consumer Tips” (aka “Daily Consumer Tips”, “Online Income Now”). This campaign employs thousands of sites, all involved in a work from home fraud. The campaign has connections to Russia, Ukraine and courtesy of the primary registrar, China (though this connection is purely due to the registrar, BIZCN, being a known “bulletproof” or criminal friendly registrar, and not because any anyone involved is actually based in China).
Whilst we’re on the subject of SMS fraud, a friend in the US recently sent me a copy of an SMS she’d received, which reads;

“Antaun, I was in the news because I made $4785 last week online. Check it out: hxxp://”

The site this points you to, redirects to (this domain is also valid as workinghome[1-30].com), which looks like this:
Everything on this site, including the “Windows Live” button you see in the top right of the sites header, leads to;

hxxp://    ->hxxp://>->hxxp://

Recognize the domain you’re being led to? You should, I’ve just talked about it (look further up, I’ll wait for you).

So after this, ask yourself – can you now spot a misleading site/advert? No? Well okay then, how about we look at another scam doing the round for well over a year, this time, it’s those lovely “you’ve won [product]”, otherwise known as “You [are/have been selected as] [todays/this minutes] winner”. These are highly popular with the rogue survey chaps and come in a variety of flavors. We will focus on just one however and see if you can identify the misleading and malicious intent:
This leads when you click “Continue”, to:
What can you do to protect yourself against these tactics? Well, the first is to install an ad block utility or a HOSTS file such as hpHosts that blocks such sites so you will never see them in the first place. This however, will only protect you from those the blacklists and ad blockers know about and are able to block – the best protection is your ability to identify a scam from a mile away, before you even get to the second page in the above example.

The first site you land on, in this case,, is a dead giveaway – there is no way anyone is going to give you an iPad, or anything else, for free. There is always a catch, and in this case, the catch is that you’ve got to fill in your email and other details (which results in you receiving more spam) and fill in surveys, just to find out that you are not going to get the iPad. All of this activity ultimately leads to, yes you’ve guessed – your inbox wanting to kill you.

Similar to these, are file download sites such as, and etc, that require filling in surveys before you can download whatever is supposed to be there (sites such as these, are popular with black hats). As before, not only is the catch the same as above, but the chances of either your being able to download the file slim to none, or if you’re lucky and able to download it, the chances of it’s not infecting your computer, is slim to none (and this includes files they share with other black hats!).

If you ever need help identifying whether or not something is a scam, you can of course, ask. Whether it is a friend, relative, any one of the number of forums out there (security or otherwise, depending on what it is you need verifying), or me, I am always here to help.

* iLivid are also known as iMesh (iLivid is a product, rather than company), Bearshare, Bandoo amongst others



8 thoughts on “Misleading advertising

  1. skilz853 says on December 21, 2012 at 3:04 pm :

    This happened to me quite a while ago, maybe a year or a bit longer.

    Don’t know if iYogi fits into this group or not, but whether they do or not, someone should take a close look at them.
    They used to have a good size banner at the top of Avast’s Support page.
    It offered free help for Avast users. I misread it, thinking it was Avast themselves and contacted them. !st mistake.
    2nd mistake: allowing iYogi remote access to my PC(no one ever again!
    Instead of fixing the issues I was having with Avast AV Pro, they proceeded to the Event Viewer trying to convince me I had major issues.(Everyone has errors, warnings in the Event Viewer)
    When I told them I knew that wasn’t a problem, they put their supervisor on my PC, to really convince me to pay them $200(guess don’t remember exact amt).
    I told him this was his unlucky day, as I was experienced enough to know his eyes were brown(think about this, and if you still don’t get it, I’ll tell ya with a BTW at the end :D)
    After getting them off my PC, it was acting weird and I suspected that they had installed some monitoring app or such while on my PC.
    Luckily, I use an app called RollBack Rx that replaces the unreliable System Restore, and thoroughly takes a snapshot of your current system and allows you almost instant return to before something you don’t want on your PC and resume where you were.
    I did a rollback with RBRx and all was well.
    Did not know this comment would be so long and I’m almost thru.


    iYogi has been removed from Avast’s Support page about 6-8 months ago(guess at time)

    BTW, eyes are brown is nice way to say they were full a $hit :D

    PS MBAM, I luv you guys and what you do :)

  2. richards says on December 25, 2012 at 6:12 pm :

    What a great site. Lots of valuable information.

  3. rr3home says on December 30, 2012 at 1:13 pm :

    Thank you for this great article , as i fell pray to INBOX home page about a year ago , it looked nice had neat tool bars and other payed for add ons . glad i didn’t spend any $ on it . About 4-6 wks latter int xp ran slow would not page back , than FireFox was deleted just gone . I finely realised i had malware , as the only search that would work was inbox , i started trying to delete inbox and its components it would not let me , it wanted admin. priv. which i gave it would dot except it .I called my pc tech which is a friend he told me to download Malwarebytes and run it , well guys long story short you found and quarantined the problem , those dirt bags had hid there stuff in for different places , sort of like the Easter bunny ,now i have your pro version money well spent as you have stopped things a number of times . Thank You again . Rod

  4. Steven Burn says on January 2, 2013 at 9:28 am :

    Thank you for the comments guys, and glad you liked the article.

  5. alanalee says on January 11, 2013 at 11:46 am :

    This is a very useful article for those of us that aren’t virologists(?). May I share your article on Google + ?

  6. Antoin Wong says on February 13, 2013 at 12:30 am :

    i must add for those google chrome users such as me. there is a ad targeted towards you when you use google or youtube thats says “oops” and depicts a crash and tries to get you to download a “plugin”. the issue can be solved by
    inspecting the elemnet and breaking its node but must be done every time you refresh and or go to another page.

  7. Steven Burn says on February 14, 2013 at 2:02 am :

    @analee, please feel free to share it with anyone you like, and sorry for the delay in replying.

    @Antoin, please feel free to drop me a line if you identify the offending URLS (you can use either Wireshark or Fiddler, to ID the URLs)

  8. Glynn Theg says on July 11, 2014 at 3:18 pm :

    I have been a consultant for 20+ years, even if I don’t work anymore (disabled), but I am usually pretty aware and I know that Google has been stinging folks for a while now, if just by not paying attention to who is bundling with their products. WATCH out for Google Earth. Make absolutely sure you go to the Google site and then locate their download link. We got stung with a crapload of PUP’s real crap too, PLUS a so far unidentified Trojan. The Trojan literally killed the ASUS M3A-VM board. Once we have the new board I will isolate the drive and check it to find the culprit. This is a bad one. I should have been more aware. I used Google to search the download and when Norton complained (it caught it using heuristics, and I shut it off because I am sooooo smart). Anyway it seems to have attacked the BIOS, it was an ugly slow death and I had to literally pull the power from the PS input to kill it. I bet I will find a hidden partition on the HD too. Whatever. … Folks no matter how smart you think you are … KEEP you Jimmy hat on!! Better safe than sorry. (374.00US sorry too)

    - MrOldGamer -
    Glynn Theg
    Knoxville TN

Leave a Reply

Subscribe to our YouTube Channel