For as long as I’ve been on the internet, I’ve been warned not to download anything without verifying it first, especially if it’s a program or executable. It’s as true today as it was back then, only the threats have intensified. For example, a modified version of the popular KeePass password manager has been spotted spreading ransomware.
Using an old trick, hackers have set up new sites with “squatter” URLs that look close enough to the genuine KeePass site at KeePass.info. On the fake sites, the interface mimics the genuine one to near perfection, offering downloads of the password manager. But according to an investigation by WithSecure, the hackers didn’t just serve up those fake sites as a way to deliver your typical malware. Nope, they modified the open-source KeePass program itself, then signed the package with the legitimate certificate to make it look real.
The infected version operates normally as a password manager, but behind the scenes it’s stealing your login and password info, installing the ransomware payload, and proliferating to any other compatible machines on your network. Once activated, affected machines are remotely encrypted, allowing the hackers to steal as much data as they want and anonymously extort you out of a ransom payment.
The faked KeePass programs were loaded up on multiple URLs that were basically typo versions of the real one. BleepingComputer reports that the fake sites were promoted using ads on Microsoft’s Bing search engine, the default for Windows and the Edge browser. This isn’t the first time that a search engine has struggled with malware being spread via paid advertisements. But it seems unreasonable to expect regular users to be wary of ads served up by such authoritative companies—the responsibility for due diligence should be on the people selling the ad space, who are apparently lacking in threat mitigation techniques.
At least one of the fake domains used in the campaign is still active at the time of this writing, nearly indistinguishable from the real thing. And to be perfectly honest with you, I think even a wary professional tech writer like myself would still be fooled, especially if I clicked on a don’t-call-it-a-search-result advertisement to get there.
Further reading: The best password managers we recommend using
