[GNC-dev] URGENT: Fake gnucash website with fake download, most likely compromised file

Craig Arno craig at arno.com
Fri Dec 9 19:29:54 EST 2022 

Seems like this information could be used to report and pull the 
gnu-cash.org domain:

Domain Name: gnu-cash.org
Registry Domain ID: 9a42474dfe5d4a8e9e50e0c56e101812-LROR
Registrar WHOIS Server: https://iwhois.webnic.cc
Registrar URL: https://www.webnic.cc/
Updated Date: 2022-10-25T22:39:36Z
Creation Date: 2022-10-20T22:39:13Z
Registry Expiry Date: 2023-10-20T22:39:13Z
Registrar: Web Commerce Communications Limited dba WebNic.cc
Registrar IANA ID: 460
Registrar Abuse Contact Email: *compliance_abuse at webnic.cc*
Registrar Abuse Contact Phone: *+603.89966799*
Domain Status: clientDeleteProhibited 
https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited 
https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited 
https://icann.org/epp#clientUpdateProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: unknown
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: Berlin
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: DE
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please query the RDDS service of the Registrar of 
Record identified in this output for information on how to contact the 
Registrant, Admin, or Tech contact of the queried domain name.
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please query the RDDS service of the Registrar of Record 
identified in this output for information on how to contact the 
Registrant, Admin, or Tech contact of the queried domain name.
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please query the RDDS service of the Registrar of Record 
identified in this output for information on how to contact the 
Registrant, Admin, or Tech contact of the queried domain name.
Name Server: eva.ns.cloudflare.com
Name Server: osmar.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: 
https://www.icann.org/wicf/
 >>> Last update of WHOIS database: 2022-12-10T00:19:57Z <<<

For more information on Whois status codes, please visit 
https://icann.org/epp

Terms of Use: Access to Public Interest Registry WHOIS information is 
provided to assist persons in determining the contents of a domain name 
registration record in the Public Interest Registry registry database. 
The data in this record is provided by Public Interest Registry for 
informational purposes only, and Public Interest Registry does not 
guarantee its accuracy. This service is intended only for query-based 
access. You agree that you will use this data only for lawful purposes 
and that, under no circumstances will you use this data to (a) allow, 
enable, or otherwise support the transmission by e-mail, telephone, or 
facsimile of mass unsolicited, commercial advertising or solicitations 
to entities other than the data recipient's own existing customers; or 
(b) enable high volume, automated, electronic processes that send 
queries or data to the systems of Registry Operator, a Registrar, or 
Identity Digital except as reasonably necessary to register domain names 
or modify existing registrations. All rights reserved. Public Interest 
Registry reserves the right to modify these terms at any time. By 
submitting this query, you agree to abide by this policy.  The Registrar 
of Record identified in this output may have an RDDS service that can be 
queried for additional information on how to contact the Registrant, 
Admin, or Tech contact of the queried domain name.

On 12/9/2022 4:07 PM, Vincent Dawans wrote:
> OK sorry for the flood of email but as of 4:05PM US Pacific time the ad is
> no longer showing for me either. So possibly already removed via my report
> and others. As for the actual site there is nothing we can do, the
> important thing is that it doesn't show up on Google. No trace of it on
> Bing either. So I think we are good for now.
>
> On Fri, Dec 9, 2022 at 4:02 PM Vincent Dawans<dawansv at gmail.com>  wrote:
>
>> You need to go to the main.php page link to see the fake site. Full link
>> ishttps://gnu-cash.org/main.php  or possibly
>> https://www.gnu-cash.org/main.php
>>
>> Google ads are location and search history dependent so might not show up
>> everywhere.
>>
>> Google has a separate tool to report phishing sites. But make sure you
>> report the whole URL with the main.php
>> https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
>>
>> That said thehttps://gnu-cash.org/main.php  doesn't seem to work in
>> incognito mode nor on microsft edge. Only on regular chrome does it open. I
>> don't have another browser installed so can't test/
>>
>> On Fri, Dec 9, 2022 at 3:51 PM John Ralls<jralls at ceridwen.us>  wrote:
>>
>>> I don't see that ad when I search Google for gnucash; when I type
>>> https://www.gnu-cash.org/  into my browser's address bar I'm taken to a
>>> page titled "Dot Com Inovations"[sic] with a heading "October 20, 2022" and
>>> nothing at all about GnuCash.
>>>
>>> Not that there would be anything we could do about it if it did exist.
>>>
>>> Regards,
>>> John Ralls
>>>
>>>
>>>> On Dec 9, 2022, at 3:39 PM, Vincent Dawans<dawansv at gmail.com>  wrote:
>>>>
>>>> Added screenshot showing fake gnucash site ad at top of google results.
>>>>
>>>> On Fri, Dec 9, 2022 at 3:31 PM Vincent Dawans<dawansv at gmail.com>
>>> wrote:
>>>>> Precision: the link to the fake site reported below is actually
>>>>> https://gnu-cash.org/main.php  -- you need the full page link to see
>>> the
>>>>> fake site that shows in the google ad.
>>>>>
>>>>> On Fri, Dec 9, 2022 at 3:24 PM Vincent Dawans<dawansv at gmail.com>
>>> wrote:
>>>>>> I just typed gnucash in google and the first hit was an ad pointing to
>>>>>> gnu-cash.org (with a dash). It is a fake site that is a carbon copy
>>> of
>>>>>> the official site but the download link goes to a setup.exe that is
>>> most
>>>>>> likely a corrupted virus file.
>>>>>>
>>>>>> We need this removed ASAP. There is an option in google to report the
>>>>>> site and mark it as spam/phishing. I imagine if more people do this
>>> it will
>>>>>> get removed faster hopefully.
>>>>>>
>>>> <fake-gnucash-site.png>_______________________________________________
>>>> gnucash-devel mailing list
>>>> gnucash-devel at gnucash.org
>>>> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>>>
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel

More information about the gnucash-devel mailing list