Have I got phished?

[WereCat]

I tried to download Rufus to create bootable USB for WIndows.

 

So I typed rufus into my browser (I use DuckDuckGo search) and the first result was this, which I used:

 

 

not noticing it's rufuse.org

 

The dowload links on this website don't work, I did not get any download prompt and that's when I've noticed the domain name... also the download links to rufuse.org/download.php

 

Checking WHOIS I've only got this result

 

 

 

The legit website after 2nd search which was also just "rufus" got me the legit website at the 1st place now for some reason:

 

 

And the download links link to Github and actually work and WHOIS shows normal info:

 

[WereCat]

3 minutes ago, TechlessBro said:

You autocorrected the dns search 

not sure what you mean

[Flangvik]

Looks like attempted malvertising and/or website clone being setup and prepared for malvertising. It's been on the uprise lately

 

[Lurick]

No you've not been phished but I would scan for malware just to be 100% safe even if nothing downloaded it could host a driveby exploit of some kind.

[Gokul_P]

rufufse.org is the scam site i also saw it but i get confused and downloaded etcher. Btw that is the first search result in Bing too but the top link is replaced with a chat page with the genuvie link

 

[Spotty]

Yes, that's a malicious website impersonating rufus. It's also flagged in virustotal.

 

12 minutes ago, WereCat said:

The dowload links on this website don't work, I did not get any download prompt and that's when I've noticed the domain name... also the download links to rufuse/org.download.php

Are you sure it didn't download anything? Do you use an antivirus software that might have blocked it when you tried to download?

 

Since you were trying to look it up the domain was registered 2 months ago. All other information is "Redacted for privacy".

WHOIS registration date

2023-01-09

WHOIS last update date

2023-01-14

WHOIS renew date

2024-01-09

 

Spoiler

Domain Name: rufuse.org
Registry Domain ID: ecea5df323354f42968870e1d57b7d53-LROR
Registrar WHOIS Server: https://rdapserver.net/
Registrar URL: http://www.hostinger.com
Updated Date: 2023-01-14T17:14:03Z
Creation Date: 2023-01-09T17:13:47Z
Registry Expiry Date: 2024-01-09T17:13:47Z
Registrar: Hostinger, UAB
Registrar IANA ID: 1636
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy Protect, LLC (PrivacyProtect.org)
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: MA
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: ns1.ddos-guard.net
Name Server: ns2.ddos-guard.net
Name Server: ns3.ddos-guard.net
Name Server: ns4.ddos-guard.net
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2023-03-24T11:15:15Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

 

[WereCat]

Just now, Flangvik said:

Looks like attempted malvertising and/or website clone being setup and prepared for malvertising. It's been on the uprise lately

 

I know about this that's why I use adblock and DuckDuckGo but this is the 1st time that I see this and the behaviour of the search. If I keep searching for "rufus" the search results keep changing and both of these websites keep appearing and disappearing at the 1st place.

[WereCat]

Just now, Spotty said:

Yes, that's a malicious website impersonating rufus. It's also flagged in virustotal.

 

Are you sure it didn't download anything? Do you use an antivirus software that might have blocked it when you tried to download?

 

Since you were trying to look it up the domain was registered 2 months ago. All other information is "Redacted for privacy".

WHOIS registration date

2023-01-09

WHOIS last update date

2023-01-14

WHOIS renew date

2024-01-09

 

  Hide contents

Domain Name: rufuse.org
Registry Domain ID: ecea5df323354f42968870e1d57b7d53-LROR
Registrar WHOIS Server: https://rdapserver.net/
Registrar URL: http://www.hostinger.com
Updated Date: 2023-01-14T17:14:03Z
Creation Date: 2023-01-09T17:13:47Z
Registry Expiry Date: 2024-01-09T17:13:47Z
Registrar: Hostinger, UAB
Registrar IANA ID: 1636
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Privacy Protect, LLC (PrivacyProtect.org)
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: MA
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: ns1.ddos-guard.net
Name Server: ns2.ddos-guard.net
Name Server: ns3.ddos-guard.net
Name Server: ns4.ddos-guard.net
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2023-03-24T11:15:15Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

 

No I'm not. I just got no download prompt from the browser. Running deep scan from Malwarebytes right now.

[Flangvik]

Just now, WereCat said:

I know about this that's why I use adblock and DuckDuckGo but this is the 1st time that I see this and the behaviour of the search. If I keep searching for "rufus" the search results keep changing and both of these websites keep appearing and disappearing at the 1st place.

As Spotty said, if you never got served any files / never executed anything, you should be all good

[Needfuldoer]

A reverse lookup of that site's IP address brings up a bunch of other sketchy-sounding websites.

 

Do a full system scan with a tool like MalwareBytes just to be safe, but you're probably okay as long as you didn't download anything.

[WereCat]

@Spotty @Needfuldoer

 

well, I hope it's all right then. I mean, I was about to reinstall Windows anyways but this scared the bejesus out of me. Apparently a .php is server side so I should be fine as long as I did not get served anything and run it if I understand it correctly.

[Kilrah]

Yeah, if you didn't enter any creds or actually got served a file you should be good.

 

Zero-click drive-bys exist but it's typically not something a fake site like this can afford...

[Vishera]

1 hour ago, Gokul_P said:

rufufse.org is the scam site i also saw it but i get confused and downloaded etcher. Btw that is the first search result in Bing too but the top link is replaced with a chat page with the genuvie link

 

The issue is that botnets are promoting those fake websites in search results across large number of search engines.

For example when you search for a PS4 emulator the first result should be Orbital (A legitimate PS4 emulator), but instead the first results are all malicious.

[Spotty]

Generally with these sites impersonating popular software they operate by having a victim download and run a malware program disguised as the legitimate program. Then when the victim runs that program that malware can do whatever it does, whether it's steal data, install other malware, steal browser session tokens, ransomware, etc. 

 

One possibility is that they're targeting certain people or regions and locking out others from accessing the malicious download. For example the download link might only work if the victim is using a US based IP address or a certain web browser and anybody else who clicks on it might just get a dead link. That php page might be checking those details and then redirecting to the malware download if you meet their criteria. Because php runs on the server side I don't think there's really an easy way to see exactly what it's doing.

I don't know enough about these types of attacks - or php specifically - to speculate more on what might be happening or what sort of threat there is just by visiting the site. Like Kilrah mentioned I think the risk of being infected just by visiting the site is pretty low.