Fake site "not t epad-plus-plus.org"

donho · Jan 6, 2021, 4:05 PM

Just got this email from an user (be aware the following link, nottepad-plus-plus.org instead of notepad-plus-plus.org )

Hi,
Did you know that there is a clone of your website where the download appears to have a virus/malware attached?
https://nottepad-plus-plus.org/
This has a Google Ad attached, so comes top of the list (above your site) for searches on notepad++.
You might want to contact Google about that.
Thanks for producing Notepad++. I think it’s great!
Best wishes,

I tried to google “notepad++” to have this AD, but it seems it’s removed.
Any suggestion to remove the fake site from this domain, in order to prevent people from downloading the spyware/virus?

Michael Vincent · Jan 6, 2021, 4:53 PM

@donho

Recently registered (December 24, 2020), info redacted from Whois not suprised:

https://who.is/whois/nottepad-plus-plus.org

Resolves to CloudFlare servers:

PS VinsWorldcom ~\source > dig nottepad-plus-plus.org

; <<>> DiG 9.8.1 <<>> nottepad-plus-plus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18575
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nottepad-plus-plus.org.                IN      A

;; ANSWER SECTION:
nottepad-plus-plus.org. 300     IN      A       104.27.185.137
nottepad-plus-plus.org. 300     IN      A       104.27.184.137
nottepad-plus-plus.org. 300     IN      A       172.67.147.177

;; Query time: 121 msec
;; WHEN: Wed Jan 06 11:52:24 2021
;; MSG SIZE  rcvd: 107

PS VinsWorldcom ~\source > dig -x 104.27.185.137

; <<>> DiG 9.8.1 <<>> -x 104.27.185.137
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30192
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;137.185.27.104.in-addr.arpa.   IN      PTR

;; AUTHORITY SECTION:
27.104.in-addr.arpa.    3600    IN      SOA     cruz.ns.cloudflare.com. dns.cloudflare.com. 2034580120 10000 2400 604800 3600

;; Query time: 88 msec
;; SERVER: 10.20.200.53#53(10.20.200.53)
;; WHEN: Wed Jan 06 11:52:36 2021
;; MSG SIZE  rcvd: 126

PS VinsWorldcom ~\source > dig -x 172.67.147.177

; <<>> DiG 9.8.1 <<>> -x 172.67.147.177
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60765
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;177.147.67.172.in-addr.arpa.   IN      PTR

;; AUTHORITY SECTION:
67.172.in-addr.arpa.    3398    IN      SOA     cruz.ns.cloudflare.com. dns.cloudflare.com. 2034580120 10000 2400 604800 3600

;; Query time: 58 msec
;; SERVER: 10.20.200.53#53(10.20.200.53)
;; WHEN: Wed Jan 06 11:52:46 2021
;; MSG SIZE  rcvd: 126

Cheers.

J. De Castro · Jan 6, 2021, 5:42 PM

A user on reddit saw this too https://www.reddit.com/r/helpme/comments/krezur/notepad/
Here’s what i said on reddit :
///
Whois show that the fake website is russian and was regesitered less than a month ago :

The only thing the fake website seems to hide is the trojan in the installers, the donation page seems unchanged

I tested two installer for v 7.9.2 with virustotal :

U can see the first one seems to hide a trojan, I tested the file with windows defender and it detected nothing, same with Spybot.

I dunno what we can do, maybe send an email to the real owner…

Update : I repported the website to Firefox, Google and Microsoft
///
So if it was not already done I repported it …

Alan Kilborn · Jan 6, 2021, 5:49 PM

Chrome tried to protect me from going there:

Thanks Chrome! :-)

donho · Jan 6, 2021, 7:59 PM

@Michael-Vincent said in Fake site "not t epad-plus-plus.org":

Resolves to CloudFlare servers:

Thank you for your investigation. However, without being a network expert, I’m not sure about the result:

SERVER: 10.20.200.53#53(10.20.200.53)

Is the IP of server in which this fake site is hosted 10.20.200.53 ? What can I do with such info?

donho · Jan 6, 2021, 8:03 PM

@J-De-Castro said in Fake site "not t epad-plus-plus.org":

Update : I repported the website to Firefox, Google and Microsoft

Thank you for reporting this problem!
Could you share the links where you have reported so I can report to them as well?

Michael Vincent · Jan 6, 2021, 8:04 PM

@donho said in Fake site "not t epad-plus-plus.org":

Is the IP of server in which this fake site is hosted 10.20.200.53 ? What can I do with such info?

No, that’s just my internal DNS server that is supplying the result from the recursive lookup.

PeterJones · Jan 6, 2021, 8:35 PM

@donho ,

Based on the link @Michael-Vincent sent, the fake domain is using netim as their registrar, and CloudFlare as their DNS server:

Often, your DNS server is also run by your web host, so I’d say that CloudFlare is the host that owns the machine for the fake domain.

Michael’s dig on the IP confirms that CloudFlare owns the IP address used by the fake domain. That strengthens the conclusion that CloudFlare really is the host.

Thus, I believe that contacting CloudFlare, and asking them to take down the spoof site is the right next step

J. De Castro · Jan 6, 2021, 10:55 PM

@donho
Yep here the adresses I used to repport the website :
https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en
https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest

as said by @PeterJones I think the next step is contacting cloudflare to repport the abuse
this can help https://www.namecheap.com/blog/how-to-report-a-fraudulent-website-to-a-registrar/
for repporting to cloudflare :
https://support.cloudflare.com/hc/en-us/articles/360028158352-Reporting-abuse-to-Cloudflare#h_eb67da7f-6013-45a5-a9c8-6b71327190a1
https://www.cloudflare.com/abuse/form

Hope this can be resolved fast

donho · Jan 9, 2021, 4:21 AM

Thank you @Michael-Vincent @PeterJones & @J-De-Castro for your help.

Just tweeted it:
https://twitter.com/Notepad_plus/status/1347757857056423936

And also create a ticket in CloudFare with the following content - I have a CloudFare account, since notepad-plus-plus.org uses some service of CloudFare:

A fake site of Notepad++ under the domain "nottepad-plus-plus.org" has the same look and content as the real one, except the distributed binaries (Notepad++ packages & installers). In this site the malware is distributed.

After some digging, the fake domain is using netim as their registrar, and CloudFlare as their DNS server. it could be that CloudFlare is the host that owns the machine for the fake domain. Could you check from your site if you host this fake website (and of course take it down if it's the case) please?

Thank you in advance

Let’s wait & see.

Alan Kilborn · Jan 9, 2021, 12:56 PM

@donho said in Fake site "not t epad-plus-plus.org":

https://twitter.com/Notepad_plus/status/1347757857056423936

At that twitter link @donho has 2 links where we can go to report the bad nottepad site. If a lot of people follow the links and do it, I’d think it would help.