Misleading advertisements lead to hijacked browser settings

Filed Under: Adobe, Adobe Flash, Apple, Featured, Java, Oracle, Security threats, Windows

A few hours ago Mrs. W was looking to install a fresh copy of iTunes on her PC and performed a quick Google search.

Above the first (and correct) result was an ad. Nothing unusual about that, except that this particular ad screamed "SCAM!"


As you can see, the URL could lead one to believe it is the iTunes download site, so I thought I would check it out.

itunes-dl-200The site I arrived at had a long list of legitimate applications with links to download them, including the one Mrs. W was interested in, iTunes.

This is where it is handy to have a virus lab hanging around. You can look into these things safely and see what the scam artists are up to with little to no risk.

I clicked the download button and was taken to a page with information on iTunes, some of which was very misleading.


There is boilerplate legalese spread liberally around the page, but thankfully it is certified safe by our friends over at McAfee (or should I say Intel?).

They are correct; it is virus free. I wouldn't interpret this to mean that it is harmless, though.

Everything about this feels a bit wrong. They mention you will be offered additional software via "opt-in ads."

Strangely Internet Explorer 11's SmartScreen filter didn't whisper a word of warning, allowing me to run the file with minimal intervention.

After downloading, I ran the small executable which was digitally signed by Tuguu S.L., a company known for creating a pay-per-install toolbar that is widely considered to be adware or a potentially unwanted application.

DomainIQ-250In fact, Sophos Antivirus detects this download as "'Adware or PUA' DomainIQ pay-per install".

First, I was presented with a standard-looking "Welcome to the iTunes installation wizard" screen.

Next I was offered a fantastic opportunity to redirect my search engine queries to a partner and prohibit other programs from helping me undo the mess.


"Install Search Protect to set my home page default search to Conduit Search for Internet Explorer, Firefox and Chrome and to block other software's attempts to change my browser's home page and search settings."

Not exactly comforting words, but most of us are trained to click the Next button until it changes to Finish.

Eventually it connects to the real Apple website and downloads iTunes in the background. In my case, it downloaded the 32-bit version, which would not even install on my 64-bit Windows 7 operating system.

It did, however, successfully hijack my search engine and home page settings in all installed browsers.

Part of the problem with trying to warn people of the dangers of these types of misleading installers is the fact the Adobe and Oracle are both engaging in similar behaviour, lending an air of legitimacy to the practice.

AdobeBundle-200When Adobe released a critical update for Flash Player in February of 2014, it defaulted to installing Google Chrome and making it my default browser unless I opted out.

Oracle's Java uses a similar tactic, offering to hijack your search engine to everyone's preferred search provider, Ask.com.


With Oracle's $37 billion of revenue in 2013 and Adobe's $4 billion, I am not convinced they need to resort to bundling unwanted additional packages with plugin downloads.

You need to approach software downloads with the same caution that you approach websites that may wish to phish your credentials.

Always go directly to the source. Don't trust ads and don't click links in emails. Instead, go directly to the manufacturer's website.

Lastly, pay close attention to checkboxes and what you are agreeing to. Apparently even legitimate software vendors can occasionally betray your confidence.

, , , , , , ,

You might like

15 Responses to Misleading advertisements lead to hijacked browser settings

  1. Just because Adobe does it does not make it right - almost had them install crap on my PC several times, missed the install crap check box when Free FileSync upgraded last time - took me two hours to figure out what happened to my browser and fix it -

    they should knee cap some developers and send them the Gitmo for these tactics

    Also with Adobe if you agree to the update they pop open a new browser and since I keep a few sites open with a Restore Last session - saves the open sites with bookmarks - so if I am not real careful they will trash my site settings even if I don't have junk installed

  2. Roger · 577 days ago

    Excellent advice.

  3. Michael · 577 days ago

    This has been going on since before 2008, both in legitimate software installers, and, of course, scam software installers. Nothing new. The search advertisements... Well, nothing new there either. Ever since the SE companies began taking in revenue from paid rankings, scam sites have been there in the top searches. I don't know how many times I have seen browsers loaded with several search engine tool bars... and most of the time, those tool bars slow down the browser due to process hogging and memory leaks. So then we hear "My internet takes forever to load". So, really, to this article, I'd say it's 6 years plus too late in informing. It does show, however, that after 6 plus years of warning, people are still mindless enough to click next and download anything without reading.

    • Nigel · 576 days ago

      "So, really, to this article, I'd say it's 6 years plus too late in informing."

      You must be new. Sophos isn't. They've been warning people about this for a long time. Just because you're reading advice for the first time doesn't mean it's the first time the advice has been given.

  4. Stuart · 577 days ago

    Search Conduit seems to be the bane of my existence as IT support, It seems that I don't go to a new without finding it sitting there ready to annoy me! gorilla installs are cheap and tacky and should be avoided! I even consider the ask toolbar as a nasty these ways - to the Adobe doing it making it seem legit is a bit backwards for me, If anything it has made me more dubious about Adobe itself. (I'm glad to say all downloads on to my own machine go through the Scan on download, then get a right click scan, then just to top it off it also goes through a scan on access! probably over kill but the nasty's are getting sneakier, so we need to be more defensive! )

    • Kat · 564 days ago

      Aaaa! I "discovered" search conduit yesterday. I'm pretty sure I managed to get everything out that it added onto my computer (there were several hidden programs), and changed back everything on my browser, but something is still fishy because now there are linked words on all the sites I go to, and when you hover over a word (e.g. "credit" was hyperlinked in one of my school web pages) it pops up an ad to some external site (e.g. repair your credit, blah blah blah...)
      I was tired, doing homework, and clicked without looking I guess... :-/ I'm thinking I will reset my browser and hope that works.

      • Check carefully for browser add-ons in all installed browsers, If you use Chrome or Firefox you may be able to remove them, delete the profile folder and reinstall for a clean start.

        It can be hard to remove, good luck!

  5. Anonymous · 576 days ago

    Thanks for running this experiment. I always wondered what those non-manufacturer download sites actually did.

  6. Nigel · 576 days ago

    "When Adobe released a critical update for Flash Player in February of 2014, it defaulted to installing Google Chrome and making it my default browser unless I opted out."

    Hmmm...I just used Firefox (running in OS X) to download Flash Player v12.0.0.44. The installer didn't mention anything about installing Google Chrome. I just searched my boot volume and Google Chrome is definitely not installed (I would have opted out if given the choice; I don't want it on my computer).

    Is the opt-out attempt to install Chrome a "feature" of Flash Player for Windows?

    • Anonymous · 576 days ago

      Yes, Adobe customizes its uncheck-to-avoid-installation feature based on your browser and your operating system.

  7. redsoxaddickt · 576 days ago

    thank you Chester [Cat] - great article. i've recently had to deal with add ons disguised as safe toolbars. i believe it is Surf Canyon that has a tool bar that keeps trying to load with some other software i've used in the past but don't use anymore. still, i sense something is awry because i am getting these obnoxious scatterings of underlined single or two words (most often NOUNS) such as college", "dating", to name a couple. do you know who or what the culprit might be?

  8. ODA155 · 576 days ago

    Look, I get the idea, the reason and the anger behind this story... but the problem here is that people do not think and for that they get themselves into trouble, if Mrs. W wanted a new version of iTunes, why Google "iTunes", why not got to Apple's website and get it from a source that's "safe"?

    Message to the author... why did you remove my first post... sorry if Mrs. W. is your wife, but if you do this for a living then you need to educate her.

    • Mrs. W · 576 days ago

      Mrs. W here.

      My rationale for going through Google was that it was the shortest path; I don't know the iTunes URL off the top of my head and didn't care to wait for Apple's site to load and have to navigate through multiple pages.

      I also knew exactly what I was looking for: something on apple.com. Not something on apple.insertscammylookingdomainhere.com

      You'll note also that Chester does not mention that I clicked on the ad because I didn't; I immediately drew his attention to it and gave him the URL to investigate on his virus lab machine because I thought it might be worthy of a story.

      Being married to a Naked Security blogger, I am a frequent reader, and would wager that I engage in security practices that make me safer than at least 95% (98%? 99%?) of the population: using a separate machine for online banking (and never my mobile phone); using a password vault with 2FA to generate long, unique passwords; patching OS and apps religiously; refusing to give away personal information without a good reason; and so on. Some of this is so woven into daily habits that I forget all the measures I undertake.

      We really do practice what he preaches. And once you are well-studied in the best practices of a system (be it implementing security or writing poetry), you gain the freedom to know when those rules can be broken.

      • ODA155 · 575 days ago

        Look, I'm not trying to argue with you, but you didn't know itunes.com which redirects to Apple's website was quicker that Google? And as for my first post that was removed... all I said was "why not just go to Apples website"...

        Please do not take it so personal, it was just a simple question I asked that was removed.

  9. Sayvlib · 576 days ago

    Thanks Chester, I always look forward to your insights and Chet chat. It drives me crazy that every time I update my network computers, I get "Asked." Doesn't Adobe do something similar? It's now second nature to look for the annoying check box. Keep up the great work. Thanks again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.