Warning: Typing error domains lure users into a trap

Website mcaffe.de has ripped off visitors on numerous occasions

07/30/2009 | Bochum 

Web surfers need to be very careful to ensure that they use the correct spelling when entering website addresses. Danger lurks in the form of typo-squatting domains, i.e. domains where the spelling differs only slightly from popular, "genuine" domains. Just how unobservant website visitors can frequently be duped using this scam, is shown by a current example from G Data Security Labs.



Visitors intending to visit the German website of antivirus software provider McAfee are put at risk in a number of ways by Internet rip-off merchants if they make an unintentional typing error when inputting the web address. Anyone inadvertently typing in a slightly different version of the domain name - (mcaffe.de) rather than the official domain name (mcafee.de) - will find themselves on the website of domain name seller NameDrive, which contains a series of so-called sponsored links that appear to relate to antivirus software. However, the site does not just contain harmless advertising.

This link list not only contains links to established antivirus programs but also links to the websites Trojaner-Doktor.com und AntiVirusDoktor.com. Users should refrain from visiting these websites under any circumstances, as the product being promoted, "Antivirus Doctor 2009", is of questionable value. After installing this software, it offers to scan the computer for spyware, adware, Trojan horses, keyloggers, worms, rootkits, rogue applications and various registry problems.

Moreover, the identification performance leaves a lot to be desired; not even the so-called EICAR test file, a harmless test file that can be regarded as an industry standard for the testing of antivirus products and that should be identified under any circumstances, is classified as a potential threat by "Antivirus Doctor 2009".

On conclusion of the scan, "Antivirus Doktor 2009", reports that is has found a series of errors, mainly in the system registry. However, none of these can be cleared by the software, which is now referred to a "test version". If you click the appropriate button in the software, a web page opens where, for the price of EUR 49.85, the ‘full version’ of "Antivirus Doktor 2009" can be purchased and paid for immediately by credit card.

The virtually non-existent identification performance, the inability to clear even one error found during the scan job as well as the instruction that the user must purchase the ‘full version’ for this purpose, makes "Antivirus Doktor 2009" so-called scareware or rogueware. This refers to programs that suggest to the user that malware or system problems have been discovered on the computer and then urge him to purchase a paid-for full version or to register the software for a fee. Affected users should treat this request with extreme scepticism and exercise healthy caution before giving out their credit card details.

However this is not all: when a visitor opens mcaffe.de, a further type of scam awaits in the form of a subscription entrapment. This works as follows.

Besides the link list described above, another browser window opens the website softwaresammler.de, on which a direct download of the free PDF-software Adobe Reader 9 is advertised. To download it, the visitor need only enter his personal data. The catch is that, on entering the personal data, depending on the page displayed by the website operator, a subscription contract with an associated charge is entered into for a period of two years, calculated at 8 Euros per month, i.e. 192 Euros in total. Moreover, by submitting, the user accepts the provider’s general terms and conditions so that, depending on the version of the text the provider uses, he simultaneously foregoes any right of withdrawal.

Such contract wording is of uncertain legal foundation, especially with respect to the foregoing of the right of withdrawal, and in case of doubt is null and void. Nevertheless operators of such subscription traps are not afraid of subsequently presenting the victims of such scams with a bill for the purportedly agreed subscription.

Users who are conned in this way and who have received such an invoice should not pay under any circumstances. Rather, they should challenge any purportedly agreed contract. Victims should not allow themselves to be intimidated by sabre-rattling by the provider in the form of reminders or even threats of debt collection procedures. To date, no case involving a subscription entrapment case has resulted in the provider successfully winning a legal order to pay. A sensible starting point for recipients of illegally concluded subscription bills are the consumer protection bodies, which can offer assistance e.g. in the form of template letters that can be used to file an objection against the payment request.

Apparently, the domain name seller, NameDrive, who has "parked" the mis-type domain mcaffe.de and provided it with sponsored links, has not carried out sufficient testing of the contents of the linked pages. Indeed the links are currently no longer accessible; however it is probably not NameDrive that has removed them. G Data's request to remove the domains from the sponsored links was rejected by the support team as not possible. No response has yet been received regarding the pop-up with the subscription entrapment. G Data has tried to reach a cooperative solution with NameDrive, and even legal steps were investigated – especially as G Data is also mentioned in the link list. Nevertheless, the company has expressly stated that it distances itself from any cooperation with NameDrive and that it is not responsible for the activation of links on the website mcaffe.de


Ralf Benzmüller, manager of G Data Security Labs, urges particular caution in such cases: "If you end up as a web surfer on such a page, you should immediately leave it. Don't click on any of the links provided, do not give away any personal data and do not under any circumstances purchase anything from there."





Claudia Krettler