Mastodawn

cg 🇪🇺 🇺🇦Feb 1, 2023

A few months ago, we warned that malevolent people were buying Google ads leading people to fake #GIMP websites to trick them into downloading malware.
Apparently this is still continuing to this day (as were reported to us). Google is still not blocking these fake ads despite the many reports and articles which happened for months now. 😓

Be careful and always make sure where you download your software from. Also the GIMP project doesn't buy ads!

https://floss.social/@mithrandir@defcon.social/109773987578181949

mithrandir (@[email protected])

Attached: 2 images More malware from malicious Google ads. gemmp[.]shop and gliimp[.]click redirect to gilmp[.]org where gimp-2.10.32-setupx32x64.zip is downloaded from cdn.discordapp.com. After removing the excessive padding from the download, uploaded the exe to VirusTotal - going to dig into it a bit more later. https://www.virustotal.com/gui/file/6262cff03c465550e501f1f15c942d641a1a79edc4d52286abd8158a53aef220/detection #malvertising #malware #intel #gimp

DEF CON Social

J🍩hn Fünk Feb 1, 2023

@GIMP This feels like it's important enough to boost.

(I got my #GIMP from the #ArchLinux #pacman repository. I'm pretty sure that's safe.)

GIMP Feb 1, 2023

@probablyjohnfunk Yeah, Linux repository packagers usually know better than use random ads websites, and also they normally build from source.

ZahmbieND Feb 2, 2023

@GIMP @probablyjohnfunk Similarly, on Windows I install with "winget install GIMP.GIMP", which installs with a file from download.gimp.org.

Winget is still downloading installers from the developers' websites, but at least every version update goes through a GitHub PR review process (including a required malware scan, I believe), which I figure is more reliable for avoiding malware than relying on a search engine (and my own eye for identifying fake sites) to show me the correct download page.

Linux Spain Feb 1, 2023

Advierte que anuncios maliciosos que prometen descargar GIMP, en realidad infectan a usuarios con malware.

Y Google no hace nada para evitarlo.

Curioso 🍉 🇺🇦 (jgg)Feb 1, 2023

It doesn't help that many people can't distinguish between these sponsored ads and the real search results, even in tech world. And that is by design.

Google, shame, shame on you!

🏳️‍🌈🏁

@GIMP I don’t understand who the main target for this is. You have to be knowledgeable enough to know what GIMP is, but fool enough to not recognize a scam or phishing website? I guess enough people are falling for it to make it worth their while?

GIMP Feb 1, 2023

@austincnunn GIMP is known by many people, even those who have no idea what Free Software is.
Last I had access to reliable download numbers (was a few years ago), we had about 50 thousands downloads a day of the Windows installer only. I.e. people going to our website and clicking the download button.
If attackers can get just a tiny percent of these downloads through ads, it will still be a lot.

Also phishing websites are perfect copies of ours (except for the installer which is a malware).

🏳️‍🌈🏁

@GIMP The download numbers are always misleading. Do you have a rough active-install number? (not doubting anything else you said, just curious now)

GIMP Feb 1, 2023

@austincnunn We certainly don't gather such stats. We are not a data-based business (nor a business at all) and don't gather live data.
This being said, now that GIMP is also (since recently) on Microsoft Store (very tiny percentage of our Windows downloads), an "active devices" stats on their platform says 365,595 in the previous month (though no idea what these stats are based on; as said, we have no stats gathering code in GIMP itself, where does Microsoft get "active devices" stats?).

GIMP Feb 1, 2023

@austincnunn Considering it's a very small percentage of our downloads, feel free to extrapolate from there (though I wouldn't personally extrapolate with too much details without knowing where Microsoft gathers such numbers, as said above, so I would just say "roughly a lot").

🏳️‍🌈🏁

@GIMP Numbers make sense. Thanks for chatting. :)

Parienve Feb 2, 2023

@GIMP
Best case, they could just be counting the number of requests made to their update servers for each Store app.

Worst case, Windows could be regularly sending detailed telemetry on application usage in general.

Given Microsoft's data-rapacious business model, I suspect the latter is closer to reality.
@austincnunn

Panic In The Darkroom Feb 1, 2023

@GIMP you people should get ads for free.

Here's one: "I've been using GIMP for a decade. It's incredible that do powerful software is given away for free, fixed, developed, distributed for free and I'm very, very happy that I can use it. I install it by default on any machine I have."

FreieSoftwareOG Feb 2, 2023

@zlatko @GIMP Well, I teach people how to do cool stuff with your great free software.
OK, not entirely for free, but only few coin at our local community college (VHS)...
#GIMP #GNU #FreeAsInFreedom

GIMP Feb 2, 2023

@FreieSoftwareOG @zlatko Ahah it's fine. We are not against people making a living with Free Software (quite the opposite, we try to, as well! Hence our permanent crowdfundings for development: https://www.gimp.org/donating/)

And we are very happy to know that other people get paid (well enough, I hope!) to teach with the software we make. 😄

Doing good stuff should not mean being exploited. ❤️‍🔥

GIMP - Donate

Donating money is important: it makes GIMP sustainable. Fund Core Team Developers Directly¶ We don’t raise funds to sponsor development as an organization yet and encourage contributor fundraisers: Patreon¶ Fund Øyvind Kolås1 GEGL development Fund ZeMarmot2 GIMP development Øyvind Kolås raises funds for his work on GEGL …

hammancheez Feb 1, 2023

@GIMP when I'm searching for gimp on google I'm not looking for image manipulation software but this is an important heads up

pafurijaz Feb 1, 2023

@GIMP money matters much, they don care about opensource, they take the best from opensource without gratefulness, they know very well what they do, and who knows in what other dishonest ways they work, the fault is also ours that we have given them all this power, from the purchase of YouTube to the advent of Android they are squeezing us as much as possible, I hope that soon or later ends!

Bart Veldhuizen 🚀Feb 1, 2023

@GIMP We have the same problem in the Blender community 😭

Ade Malsasa Akbar Feb 2, 2023

@BartV first time hearing this from Blender community. Hope everything gets well soon. @GIMP

Diabetic Heihachi Feb 2, 2023

@GIMP
Alphabet only thirsts for ad money. Ad money corrupts any social platform it touches. Just go through YouTube ads Incognito/vpn to open the floodgates of garbage they let people pay them to promote.

Post boosted. 📣

Ade Malsasa Akbar Feb 2, 2023

@DavBot hey, you are right my friend. I saw a lot of instances of this also. Thanks for reminding, Man. @GIMP

skua Feb 2, 2023

@GIMP
Thanks Google, now you're mixing malware in with your monetized search results!

As one of your biggest fanboys I think this is a great step forward for the whole internet.
Being able to get malware easily from a trusted site will definitely help everyone with computer security.

Ade Malsasa Akbar Feb 2, 2023

@GIMP boosted.

nev Feb 2, 2023

@GIMP yo i have a great idea for how to prevent this

Ewen at Large Feb 2, 2023

Disgraceful behaviour by Google. They have a duty of care to their customers.

Apizo Hafeez Feb 2, 2023

@GIMP The matrix has attacked GIMP. Disgusting.

sn 🐦‍⬛Feb 2, 2023

@GIMP have you considered suing Google?

GIMP Feb 2, 2023

@sn We are not a company, just a community of volunteers spread across the world, we don't have big bucks either. So we are not going to ask any of our contributors to take legal risk in their personal name against one of the biggest company in the world (with financial risk too, and the stress associated with trials and so on). And we care about preserving mental health of our contributors.

So no this is not an option we consider.

normshaw Feb 2, 2023

@GIMP just one more reason why I don’t use Google

Dick Smiths Fair Go Supporters Feb 2, 2023

@GIMP
Shocking, its as is Google might be too big to exist?

Speaking of which, we are unable to use GNOME Gitlab, because of its use of google reCAPTCHA.

We have one or more bugs to report but we will not train self-driving vehicles to lodge them.

Derek 🌈Feb 2, 2023

@GIMP @cautionwip I have done a few things. I never click on add search results now, and over a year ago I switched to #DuckDuckGo. They do have ads, but hey. At least it’s not #Google?

CautionWIP 🎃+🇨🇦+🏳️‍🌈=

@mayor @GIMP Yah, it's still difficult, there are so many sites that come up on DDG whose URLs direct to a googleads tracking portal or include Google-ads trackers that are page-based. Many sites use GoogleAds simply because they have integrated tracking that can be used to measure effectiveness of a given campaign. There are even official sites that use them for that. My ad-blocking system blocks google-ads tracking so I have to turn it off for sites like that. It's an issue.

Derek 🌈Feb 3, 2023

@cautionwip What do you use to block ads? I am using #PiHole. I feel like they could have picked a better name.

CautionWIP 🎃+🇨🇦+🏳️‍🌈=

@mayor I LOVE the name PIHole. lol.
I was going to set up a PIhole server, but my new ISP (https://oxio.ca if you're interested, and if you go with them, lemme know, I have a referral code that'll get you and I both a free month service) provides hardware (Eero 6+) with a baked in ad-blocker I've found surprisingly effective. They're a reseller who have no call center, they do their support via text/email, but I've found them surprisingly responsive. They're new though, so caveat emptor.

oxio | Forfait internet résidentiel au Québec, Ontario et BC.

Un fournisseur internet résidentiel que vous aimerez réellement. Forfaits sans contrats, ni astérisques partout et 60 jours pour changer d’idée.

Derek 🌈Feb 3, 2023

@cautionwip Ph wow! i did not know there was such a thing. Glad that they have something. I live in Washington state, so I do not get the cool Canadian internet down here.

ocdtrekkie Feb 3, 2023

@GIMP cc: @mtomczak My point continues: Google's primary business is malware peddling.

Mark Tomczak Feb 3, 2023

@ocdtrekkie You're trying to build a case on individual datapoints for a service that serves 237 billion ad clicks per day.

I think you may find your numbers less than convincing to those of us who know how statistics work, even though we agree that the number should, ideally, be zero.

ocdtrekkie Feb 3, 2023

@mtomczak I mean, I'm just pointing out that examples of this cross my feed incidentally *every* *single* *day*. And that's forgetting the silent majority, and all of the people who do not even understand what is happening.

Google has trained a lot of people to ignore individual datapoints, and it's why Google is the go-to platform for crime: They're ****ing blind, lol.

Mark Tomczak Feb 3, 2023

@ocdtrekkie Yes. I am not surprised that instances occur every single day in an ecosystem with 200+-billion-clicks per day.

Ever heard the statistics on how many of Google's datacenter machines burst into flames per day? Yet Google doesn't sue their vendors for mis-manufacturing; they know how scale works.

ocdtrekkie Feb 3, 2023

@mtomczak You are ignoring all of the data which is inconvenient for your beliefs: That this has impacted a major open source organization and Google has refused to address it for a number of months. And of course, that Google makes money on it, and hence has the perverse incentive to do it.

Mark Tomczak Feb 3, 2023

@ocdtrekkie It's a scale problem. You can make similar accusations of phone companies regarding scam calls.

The consequences of being biggest is you become the largest fraud vector by virtue of scale, no matter how much counter-with you do. That doesn't imply you stop doing the work, but it will never be enough.

ocdtrekkie Feb 3, 2023

@mtomczak If a company is too big to handle being an intermediary in a criminal operations for several months without acting on it, the company should be shut down. Full stop.

Mark Tomczak Feb 3, 2023

@ocdtrekkie Cool.

So what *is* your recommended alternative to phone companies and USPS?

https://www.npr.org/2022/02/03/1077766541/usps-checks-mail-fraud-bank

ocdtrekkie Feb 3, 2023

@mtomczak I mean, the USPS is a public service which delivers mail without regards to it's contents (and doesn't make profit based on the value of the content therein).

I agree telco regulation should be better, and the FCC is currently acting heavily to shut down telcos failing to act on SHAKEN/STIR and KYC. We're fixing it. But for what it's worth, a telco is a public utility that provides societal value.

Google is an adtech company and a blight on the planet.

ocdtrekkie Feb 3, 2023

@mtomczak All of your attempts to suggest adtech is anything but something we should literally just imprison everyone involved with fails to recognize that Google actually makes all it's decisions about pricing and display and moderation based on optimizing the maximum profit return.

ocdtrekkie Feb 3, 2023

@mtomczak The reason the ad is displayed on the page is because Google is confident it is the best way for Google to make the most money from it, and Google isn't acting on reports against an ad that's significantly more profitable than it's removal.

Thanks to Section 230, Google faces no risk of penalty for knowingly serving malicious content, so... they actively serve malicious content.

Mark Tomczak Feb 3, 2023

@ocdtrekkie You've never worked with or in Google have you?

I ask because your perception of what the ad team actually does is so far removed from reality that I have no idea what your source is.

ocdtrekkie Feb 3, 2023

@mtomczak I've not worked at Google, but I've worked with a significant number of Google employees and teams.

It's absolutely a culture of arrogance and learned blindness.

ocdtrekkie Feb 3, 2023

@mtomczak Maybe Ars Technica will finally get their attention? Spamhaus is advising everyone not to use Google to download software. https://arstechnica.com/information-technology/2023/02/until-further-notice-think-twice-before-using-google-to-download-software/

Until further notice, think twice before using Google to download software

Over the past month, Google has been outgunned by malvertisers with new tricks.

Ars Technica

Mark Tomczak Feb 3, 2023

@ocdtrekkie Ars reporting on the problem will certainly light a fire under the team to do more about it than they already are.

I’ll be interested to see if that has effect or if the problem is actually fundamentally intractable.

ETA: Ars does a good job of breaking down why Google’s been struggling with this problem. So Google employs all manner of out-of-band detection to suss out bad-faith advertisers. Problem is, this new wave of malware vendors is savvy to Google’s methods and is cloaking the endpoints from those scans, which means when Google tries to decide if those sites are malicious, they vend a clean front.

(I’m aware of several tricks Google has up their sleeve for this issue, which I choose not to divulge, but if I know about them, I assume people who generate revenue by breaking them definitely know about them).

In any case, it all circles back to square one again: it’s worth it for these folks to optimize their attack against Google’s countermeasures because Google is the largest target. This is the “Viruses on Windows” problem again.

ocdtrekkie Feb 3, 2023

@mtomczak The solution is simple: Google should only run ads approved by humans. Of course, that's expensive, so we need a solution to make it worthwhile: Hold Google legally liable for fraud and malware distributed by its platforms.

Mark Tomczak Feb 3, 2023

@ocdtrekkie That’s not expensive; it’s completely unscalable. It would collapse Google’s ability to offer search as a service (it would collapse all search engine’s abilities to offer search as a service, except possibly for Bing if Microsoft treats it as a loss-leader).

… and it wouldn’t solve the problem, because the bad actors would provide a clean front to the humans.

ocdtrekkie Feb 3, 2023

@mtomczak Good. Collapse it. Scale is not a justifiable excuse for misconduct, and it's long past time we start shutting down companies too big to operate responsibly.

Also, how many billions in profit did Google bring in this quarter? It's not unscalable, it's just not going to make them one of the most valuable companies on the planet. Their position is based on ill-gotten gain and lack of responsibility.

Mark Tomczak Feb 3, 2023

@ocdtrekkie I think we’re done on this topic if your response is “Well, search had a good run.”

The value provided by having search engines outstrips the harm done by bad actors leveraging ads to vend malware. Point me to one counter-example of a general-purpose search engine that isn’t ad-backed if you’re going to demand we collapse the ecosystem.

Or, as I said, you’re actually advocating for just handing search on the web to Microsoft. A hilarious solution for checking Google’s power.

Mark Tomczak Feb 3, 2023

@ocdtrekkie USPS is also a private corporation that makes ~20% of its money on ads.

https://facts.usps.com/top-facts

Mark Tomczak Feb 3, 2023

@GIMP > Also the GIMP project doesn't buy ads!

This is probably fine as long as the main way people try to get GIMP is through package management.

Does the project have enough numbers to know what the ratio is of people who install from package managers vs. people who install from search engines? If it starts to tilt towards "search mostly," might be time to invest in some ads.

@GIMP change your name.

Everybody loves Gordo Feb 10, 2023

@GIMP This probably doesn't need to be said to anyone in this thread, but this has been a problem for years and years and years (not specifically with GIMP), and Google either doesn't care, or is not willing to put the human resources in place to properly deal with the problem (ring a bell? Something something non-English Facebook content moderation).

I've personally reported similar ads and checked in later to see them still up.