Re: [GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file
Hey, This IP is assigned to Cloudflare: puck@dirk:~$ whois 2606:4700:3030::6815:5f93 ... NetRange: 2606:4700:: - 2606:4700:::::: CIDR: 2606:4700::/32 NetName: CLOUDFLARENET NetHandle: NET6-2606-4700-1 Parent: NET6-2600 (NET6-2600-1) NetType: Direct Allocation OriginAS: AS13335 Organization: Cloudflare, Inc. (CLOUD14) RegDate: 2011-11-01 Updated: 2017-02-17 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse Ref: https://rdap.arin.net/registry/ip/2606:4700:: ... Cheers, Andrew On Fri, 2022-12-09 at 17:53 -0600, David Carlson wrote: > Mystery deepens! When I tried to open this fake website it was not > available in Tor browser but pinging it revealed a response from IPV6 > address 2606:4700:3030::6815:5f93. That IP does not seem to be > registered > > On Fri, Dec 9, 2022 at 5:40 PM Vincent Dawans > wrote: > > > Added screenshot showing fake gnucash site ad at top of google > > results. > > > > On Fri, Dec 9, 2022 at 3:31 PM Vincent Dawans > > wrote: > > > > > Precision: the link to the fake site reported below is actually > > > https://gnu-cash.org/main.php -- you need the full page link to > > > see the > > > fake site that shows in the google ad. > > > > > > On Fri, Dec 9, 2022 at 3:24 PM Vincent Dawans > > > wrote: > > > > > > > I just typed gnucash in google and the first hit was an ad > > > > pointing to > > > > gnu-cash.org (with a dash). It is a fake site that is a carbon > > > > copy of > > > > the official site but the download link goes to a setup.exe > > > > that is most > > > > likely a corrupted virus file. > > > > > > > > We need this removed ASAP. There is an option in google to > > > > report the > > > > site and mark it as spam/phishing. I imagine if more people do > > > > this it > > will > > > > get removed faster hopefully. > > > > > > > > > ___ > > gnucash-devel mailing list > > gnucash-devel@gnucash.org > > https://lists.gnucash.org/mailman/listinfo/gnucash-devel > > > > -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz | ___ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Re: [GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file
The domain is registered with webnic.cc, but all the registrar details are hidden: puck@dirk:~$ whois gnu-cash.org Domain Name: gnu-cash.org Registry Domain ID: 9a42474dfe5d4a8e9e50e0c56e101812-LROR Registrar WHOIS Server: https://iwhois.webnic.cc Registrar URL: https://www.webnic.cc/ Updated Date: 2022-10-25T22:39:36Z Creation Date: 2022-10-20T22:39:13Z Registry Expiry Date: 2023-10-20T22:39:13Z Registrar: Web Commerce Communications Limited dba WebNic.cc Registrar IANA ID: 460 Registrar Abuse Contact Email: compliance_ab...@webnic.cc Registrar Abuse Contact Phone: +603.89966799 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: REDACTED FOR PRIVACY ... Perhaps an abuse report to the above email address? Cheers, Andrew On Sat, 2022-12-10 at 12:59 +1300, Andrew Ruthven wrote: > Hey, > > This IP is assigned to Cloudflare: > > puck@dirk:~$ whois 2606:4700:3030::6815:5f93 > ... > NetRange: 2606:4700:: - 2606:4700:::::: > CIDR: 2606:4700::/32 > NetName: CLOUDFLARENET > NetHandle: NET6-2606-4700-1 > Parent: NET6-2600 (NET6-2600-1) > NetType: Direct Allocation > OriginAS: AS13335 > Organization: Cloudflare, Inc. (CLOUD14) > RegDate: 2011-11-01 > Updated: 2017-02-17 > Comment: All Cloudflare abuse reporting can be done via > https://www.cloudflare.com/abuse > Ref: https://rdap.arin.net/registry/ip/2606:4700:: > ... > > Cheers, > Andrew > > On Fri, 2022-12-09 at 17:53 -0600, David Carlson wrote: > > Mystery deepens! When I tried to open this fake website it was not > > available in Tor browser but pinging it revealed a response from > > IPV6 > > address 2606:4700:3030::6815:5f93. That IP does not seem to be > > registered > > > > On Fri, Dec 9, 2022 at 5:40 PM Vincent Dawans > > wrote: > > > > > Added screenshot showing fake gnucash site ad at top of google > > > results. > > > > > > On Fri, Dec 9, 2022 at 3:31 PM Vincent Dawans > > > wrote: > > > > > > > Precision: the link to the fake site reported below is actually > > > > https://gnu-cash.org/main.php -- you need the full page link to > > > > see the > > > > fake site that shows in the google ad. > > > > > > > > On Fri, Dec 9, 2022 at 3:24 PM Vincent Dawans > > > > wrote: > > > > > > > > > I just typed gnucash in google and the first hit was an ad > > > > > pointing to > > > > > gnu-cash.org (with a dash). It is a fake site that is a > > > > > carbon copy of > > > > > the official site but the download link goes to a setup.exe > > > > > that is most > > > > > likely a corrupted virus file. > > > > > > > > > > We need this removed ASAP. There is an option in google to > > > > > report the > > > > > site and mark it as spam/phishing. I imagine if more people > > > > > do this it > > > will > > > > > get removed faster hopefully. > > > > > > > > > > > > ___ > > > gnucash-devel mailing list > > > gnucash-devel@gnucash.org > > > https://lists.gnucash.org/mailman/listinfo/gnucash-devel > > > > > > > > -- Andrew Ruthven, Wellington, New Zealand and...@etc.gen.nz | Catalyst Cloud: | This space intentionally left blank https://catalystcloud.nz | ___ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Re: [GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file
Seems like this information could be used to report and pull the gnu-cash.org domain: Domain Name: gnu-cash.org Registry Domain ID: 9a42474dfe5d4a8e9e50e0c56e101812-LROR Registrar WHOIS Server: https://iwhois.webnic.cc Registrar URL: https://www.webnic.cc/ Updated Date: 2022-10-25T22:39:36Z Creation Date: 2022-10-20T22:39:13Z Registry Expiry Date: 2023-10-20T22:39:13Z Registrar: Web Commerce Communications Limited dba WebNic.cc Registrar IANA ID: 460 Registrar Abuse Contact Email: *compliance_ab...@webnic.cc* Registrar Abuse Contact Phone: *+603.89966799* Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Registry Registrant ID: REDACTED FOR PRIVACY Registrant Name: REDACTED FOR PRIVACY Registrant Organization: unknown Registrant Street: REDACTED FOR PRIVACY Registrant City: REDACTED FOR PRIVACY Registrant State/Province: Berlin Registrant Postal Code: REDACTED FOR PRIVACY Registrant Country: DE Registrant Phone: REDACTED FOR PRIVACY Registrant Phone Ext: REDACTED FOR PRIVACY Registrant Fax: REDACTED FOR PRIVACY Registrant Fax Ext: REDACTED FOR PRIVACY Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Admin ID: REDACTED FOR PRIVACY Admin Name: REDACTED FOR PRIVACY Admin Organization: REDACTED FOR PRIVACY Admin Street: REDACTED FOR PRIVACY Admin City: REDACTED FOR PRIVACY Admin State/Province: REDACTED FOR PRIVACY Admin Postal Code: REDACTED FOR PRIVACY Admin Country: REDACTED FOR PRIVACY Admin Phone: REDACTED FOR PRIVACY Admin Phone Ext: REDACTED FOR PRIVACY Admin Fax: REDACTED FOR PRIVACY Admin Fax Ext: REDACTED FOR PRIVACY Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Registry Tech ID: REDACTED FOR PRIVACY Tech Name: REDACTED FOR PRIVACY Tech Organization: REDACTED FOR PRIVACY Tech Street: REDACTED FOR PRIVACY Tech City: REDACTED FOR PRIVACY Tech State/Province: REDACTED FOR PRIVACY Tech Postal Code: REDACTED FOR PRIVACY Tech Country: REDACTED FOR PRIVACY Tech Phone: REDACTED FOR PRIVACY Tech Phone Ext: REDACTED FOR PRIVACY Tech Fax: REDACTED FOR PRIVACY Tech Fax Ext: REDACTED FOR PRIVACY Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. Name Server: eva.ns.cloudflare.com Name Server: osmar.ns.cloudflare.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of WHOIS database: 2022-12-10T00:19:57Z <<< For more information on Whois status codes, please visit https://icann.org/epp Terms of Use: Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Identity Digital except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name. On 12/9/2022 4:07 PM, Vincent Dawans wrote: OK sorry for the flood of email but as of 4:05PM US Pacific time the ad is no longer showing for me either. So possibly already removed via my report and others. As for the actual site there is nothing we can do, the important thing is that it doesn't show up on Google. No trace of it on Bing either. So I think we are good for now. On Fri, Dec 9, 2022 at 4:02 PM Vincent Dawans wrote: You need to go to the main.php page link to see the fake site. Full link
Re: [GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file
OK sorry for the flood of email but as of 4:05PM US Pacific time the ad is no longer showing for me either. So possibly already removed via my report and others. As for the actual site there is nothing we can do, the important thing is that it doesn't show up on Google. No trace of it on Bing either. So I think we are good for now. On Fri, Dec 9, 2022 at 4:02 PM Vincent Dawans wrote: > You need to go to the main.php page link to see the fake site. Full link > is https://gnu-cash.org/main.php or possibly > https://www.gnu-cash.org/main.php > > Google ads are location and search history dependent so might not show up > everywhere. > > Google has a separate tool to report phishing sites. But make sure you > report the whole URL with the main.php > https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en > > That said the https://gnu-cash.org/main.php doesn't seem to work in > incognito mode nor on microsft edge. Only on regular chrome does it open. I > don't have another browser installed so can't test/ > > On Fri, Dec 9, 2022 at 3:51 PM John Ralls wrote: > >> I don't see that ad when I search Google for gnucash; when I type >> https://www.gnu-cash.org/ into my browser's address bar I'm taken to a >> page titled "Dot Com Inovations"[sic] with a heading "October 20, 2022" and >> nothing at all about GnuCash. >> >> Not that there would be anything we could do about it if it did exist. >> >> Regards, >> John Ralls >> >> >> > On Dec 9, 2022, at 3:39 PM, Vincent Dawans wrote: >> > >> > Added screenshot showing fake gnucash site ad at top of google results. >> > >> > On Fri, Dec 9, 2022 at 3:31 PM Vincent Dawans >> wrote: >> > >> >> Precision: the link to the fake site reported below is actually >> >> https://gnu-cash.org/main.php -- you need the full page link to see >> the >> >> fake site that shows in the google ad. >> >> >> >> On Fri, Dec 9, 2022 at 3:24 PM Vincent Dawans >> wrote: >> >> >> >>> I just typed gnucash in google and the first hit was an ad pointing to >> >>> gnu-cash.org (with a dash). It is a fake site that is a carbon copy >> of >> >>> the official site but the download link goes to a setup.exe that is >> most >> >>> likely a corrupted virus file. >> >>> >> >>> We need this removed ASAP. There is an option in google to report the >> >>> site and mark it as spam/phishing. I imagine if more people do this >> it will >> >>> get removed faster hopefully. >> >>> >> >> >> > ___ >> > gnucash-devel mailing list >> > gnucash-devel@gnucash.org >> > https://lists.gnucash.org/mailman/listinfo/gnucash-devel >> >> ___ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Re: [GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file
You need to go to the main.php page link to see the fake site. Full link is https://gnu-cash.org/main.php or possibly https://www.gnu-cash.org/main.php Google ads are location and search history dependent so might not show up everywhere. Google has a separate tool to report phishing sites. But make sure you report the whole URL with the main.php https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en That said the https://gnu-cash.org/main.php doesn't seem to work in incognito mode nor on microsft edge. Only on regular chrome does it open. I don't have another browser installed so can't test/ On Fri, Dec 9, 2022 at 3:51 PM John Ralls wrote: > I don't see that ad when I search Google for gnucash; when I type > https://www.gnu-cash.org/ into my browser's address bar I'm taken to a > page titled "Dot Com Inovations"[sic] with a heading "October 20, 2022" and > nothing at all about GnuCash. > > Not that there would be anything we could do about it if it did exist. > > Regards, > John Ralls > > > > On Dec 9, 2022, at 3:39 PM, Vincent Dawans wrote: > > > > Added screenshot showing fake gnucash site ad at top of google results. > > > > On Fri, Dec 9, 2022 at 3:31 PM Vincent Dawans wrote: > > > >> Precision: the link to the fake site reported below is actually > >> https://gnu-cash.org/main.php -- you need the full page link to see the > >> fake site that shows in the google ad. > >> > >> On Fri, Dec 9, 2022 at 3:24 PM Vincent Dawans > wrote: > >> > >>> I just typed gnucash in google and the first hit was an ad pointing to > >>> gnu-cash.org (with a dash). It is a fake site that is a carbon copy of > >>> the official site but the download link goes to a setup.exe that is > most > >>> likely a corrupted virus file. > >>> > >>> We need this removed ASAP. There is an option in google to report the > >>> site and mark it as spam/phishing. I imagine if more people do this it > will > >>> get removed faster hopefully. > >>> > >> > > ___ > > gnucash-devel mailing list > > gnucash-devel@gnucash.org > > https://lists.gnucash.org/mailman/listinfo/gnucash-devel > > ___ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Re: [GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file
Mystery deepens! When I tried to open this fake website it was not available in Tor browser but pinging it revealed a response from IPV6 address 2606:4700:3030::6815:5f93. That IP does not seem to be registered On Fri, Dec 9, 2022 at 5:40 PM Vincent Dawans wrote: > Added screenshot showing fake gnucash site ad at top of google results. > > On Fri, Dec 9, 2022 at 3:31 PM Vincent Dawans wrote: > > > Precision: the link to the fake site reported below is actually > > https://gnu-cash.org/main.php -- you need the full page link to see the > > fake site that shows in the google ad. > > > > On Fri, Dec 9, 2022 at 3:24 PM Vincent Dawans wrote: > > > >> I just typed gnucash in google and the first hit was an ad pointing to > >> gnu-cash.org (with a dash). It is a fake site that is a carbon copy of > >> the official site but the download link goes to a setup.exe that is most > >> likely a corrupted virus file. > >> > >> We need this removed ASAP. There is an option in google to report the > >> site and mark it as spam/phishing. I imagine if more people do this it > will > >> get removed faster hopefully. > >> > > > ___ > gnucash-devel mailing list > gnucash-devel@gnucash.org > https://lists.gnucash.org/mailman/listinfo/gnucash-devel > -- David Carlson ___ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
Re: [GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file
I don't see that ad when I search Google for gnucash; when I type https://www.gnu-cash.org/ into my browser's address bar I'm taken to a page titled "Dot Com Inovations"[sic] with a heading "October 20, 2022" and nothing at all about GnuCash. Not that there would be anything we could do about it if it did exist. Regards, John Ralls > On Dec 9, 2022, at 3:39 PM, Vincent Dawans wrote: > > Added screenshot showing fake gnucash site ad at top of google results. > > On Fri, Dec 9, 2022 at 3:31 PM Vincent Dawans wrote: > >> Precision: the link to the fake site reported below is actually >> https://gnu-cash.org/main.php -- you need the full page link to see the >> fake site that shows in the google ad. >> >> On Fri, Dec 9, 2022 at 3:24 PM Vincent Dawans wrote: >> >>> I just typed gnucash in google and the first hit was an ad pointing to >>> gnu-cash.org (with a dash). It is a fake site that is a carbon copy of >>> the official site but the download link goes to a setup.exe that is most >>> likely a corrupted virus file. >>> >>> We need this removed ASAP. There is an option in google to report the >>> site and mark it as spam/phishing. I imagine if more people do this it will >>> get removed faster hopefully. >>> >> > ___ > gnucash-devel mailing list > gnucash-devel@gnucash.org > https://lists.gnucash.org/mailman/listinfo/gnucash-devel ___ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
