SCAM Website Audacity

[eleminer]

Hello guys,
Yesterday I wanted to download audacity.
When entering "audacity" on Google, the following website is the first suggestion: https://www [dot] audacity [dot] de/.
After downloading it from this website, Windows Defender raised the alarm: undesirable behavior.
Here, via Github, I found out that the "correct" homepage has the following URL:
https://www.audacityteam.org/

After downloading it from this website, everything went smoothly and I was able to edit my audio files.

I assume that the first website is a fake?
Is this really the case?

Best regards
Marc

[SteveDaulton]

Yes, "audacity.de" is a malware site. We would dearly love to see that site permanently shut down, or at least blocked by Google.

The genuine Audacity website is https://www.audacityteam.org/
Our official downloads are served by https://www.fosshub.com (follow the links from the Audacity website for download /installation instructions and the name of the file that you require). Note that the Audacity download links on FossHub are text links.

[asa55]

Reported the malicious site to Google at this link: https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en

More places to report malicious sites are itemized here: https://security.stackexchange.com/questions/1728/where-to-report-malicious-urls-phishing-and-malicious-web-sites

[eleminer]

okay, this is very bad....

[eleminer]

I'm actually always very careful when downloading files, but this time they got me...

[stweil]

The bad news is that the malicious website https://www [dot] audacity [dot] de/ is still listed on the first (!) place when I search for "audacity" at Google. We just detected that we had installed a bundle of new notebooks with malware coming from that site. Today I could confirm that the downloaded Audacity for Windows comes from https://www [dot] audacityorg [dot] de/ and is not identical to the official one, but significantly larger.

I now wrote to Host Europe GmbH (part of the @hosteurope group) who host the scam website and hope they will shut it down and prosecute their client which claims to come from Malta.

I also reported it at @google using the link above.

As Audacity is a trade mark, it could also be possible to go against domains which misuse that name.

[SteveDaulton]

I have modified the direct links to the scam site. We really don't want to be helping their SEO ;-)

[stweil]

Symantec just told me that they detect the malicious Windows installer. Windows Defender does not detect it ...

audacity2-4-2.exe | 7125d68e319e44fe0fe0b6c2412e4ea3 | Already Detected | Trojan.Gen.2 | 209933

[SteveDaulton]

I think they change the payload periodically. Much of the time it is a "pup" installer.

[stweil]

The owner of the scam website is listed in the Paradise Papers: https://offshoreleaks.icij.org/nodes/56039455.

[DavidBailes]

I've reported the website to https://www.quad9.net/

[stweil]

Host Europe answered today. They ask for evidence that the site is really malicious.

[SteveDaulton]

Clicking on the "Download starten" link on this page: https://www [dot] audacity [dot] de/download-de/
downloads this file: https://www.virustotal.com/gui/file/128f53140b13a899bf6304ec2d5db4ebce33df7d3cf5e3386b97a9701a922fed/detection
Tested at 16:54 GMT 16 Feb 2021

[henricj]

It might be worthwhile to try to get their code signing certificate revoked. It will be simple enough for them to get another one, but at least executables that have already been downloaded should get flagged.

https://web.entrust.com/ev-misuse/

I have no idea how responsive Entrust is to these kinds of problems.

[gwestwood]

Symantec just told me that they detect the malicious Windows installer. Windows Defender does not detect it ...

Submit it to https://www.microsoft.com/en-us/wdsi/filesubmission for MS to analyse it.

[eleminer]

okay, I was happy a few days ago that the page is down, now it's back online ...

[stweil]

Currently they deliver an unmodified audacity-win-3.0.0.exe. But of course one never knows whether they always do that in the future.

[henricj]

Just because one person downloads the official release, doesn't mean everybody else will get the same file.

Some of these scam sites are sophisticated enough to provide different downloads depending on what they detect about the downloader. Geolocation, browser tagging, etc., may lead most folks (likely including those reviewing complaints for a web host), to get a legitimate download, while still letting them target others.

[eleminer]

maybe you should write here that there is a fake page online. As information!

[jahway603]

that's a great idea

[stweil]

That website has no rights to use the domain name "audacity" without permission. So legal means would be most effective.

[lengthwave]

Our legal team is currently working on getting this issue resolved.

[eleminer]

perfect. :)

[eleminer]

it is still online and via google available. :/

[differentprogramming]

The fact that Audacity has a "legal team" is the root of the current problems.

[Atemu]

it is still online and via google available. :/

Things of that nature don't happen nearly as fast as you think they should. Check again in a month or three.

The fact that Audacity has a "legal team" is the root of the current problems.

No, that's perfectly fine for a software development company. I'd call you crazy if your company didn't have a legal team (or close legal correspondent) above a certain size or user base.

[eleminer]

Still online..... what we need to do?

[lengthwave]

German law makes this surprisingly time consuming to resolve.

Lawyers are currently working on this and there is an active court case.

[DePasqualeOrg]

On Twitter I noticed ads supposedly for Audacity, which point to a website with the .top TLD and otherwise the same domain as the official Audacity website. I just wanted to make a note of this here so that you can follow up on that site as well.

[eleminer]

the .top is also SCAM?

[DePasqualeOrg]

It looks that way to me. But the Audacity team should follow up on it. The Twitter ads and the profiles that posted them look dubious to me.

[lengthwave]

Can you make a screenshot? Do you know the usernames?

[DePasqualeOrg]

[DePasqualeOrg]

This is the ad I've been seeing recently on Twitter, which points to the .top domain with otherwise the same name as the official Audacity domain. I'm assuming it's malware.

[lengthwave]

Do you know the domain it is pointing to?

[DePasqualeOrg]

It's just as I described it, but I didn't want to write it out here. The official domain is audacityteam.org, right? Just replace .org with .top.

[eleminer]