🚴🏾 🤚🏽 🙆🏽 Does Yandex help spread malware? 📧 🌽 😍

By type of activity, I have to observe the work of hundreds of ordinary PC users. A person who has been holding a mouse for more than one day is increasingly encountering problems with banal downloading of free software. During the analysis, it turns out that he just typed in Yandex "download Viber", and then something went wrong. I have been following the spread of the infection for a long time with the direct participation of Yandex. Once these were isolated cases, but now the phenomenon has already become widespread. I will explain what the point is. We will enter in the request the name of any popular program that the conditional home user wants to download, and we will get something like this:

Each line marked “advertising” is a paid advertisement from an individual or legal entity that is registered in the Yandex.Direct service with all addresses, phone numbers and other TINs. Each such announcement is moderated manually, that is, in this case, the moderator was not at all embarrassed by the fact that five different “official” sites submitted ads to download the free application. And certainly the number checked by the moderator (495) 111-22-33 does not belong to Skype.

And, most interestingly, the order of issuance of different ads for one request is determined by the auction. If you do not go into the details of the Yandex.Direct admin area, those who set a higher cost per click are shown above. Yes, each click on such a link costs the author of the advertisement N rubles! For what exactly the advertisers are fighting in rubles, it is not known, there are many options: from relatively harmless mining of cryptocurrency on foreign hardware to the interception of payment data from Sberbank Online or Aliexpress. But it is logical that altruism here does not smell.

upd2 On the previous two screenshots, the search results are scrolled so that the lower ad unit is next to the request.

On Direct, fraud does not end. Below is the usual search results without ads at the request of "anydesk" - a popular application from the former TeamViewer team. anydesk.com is a real site, which should be the first to get out on this request. And the second result (with dot ru) is fake. One glance at this one-page site with a morally outdated clipart is enough to understand that we have before us a fake painted on my knee in 15 minutes. BUT just not for Yandex moderators. Please note: the address of this site contains uppercase and lowercase letters (AnyDesk, not anydesk). This is possible only in one case: the author of the site is registered in the Yandex.Webmaster service and has passed manual moderation to change the case of characters in the address of this “official site”.

The garbage dump in the issue is repeated for any software that only comes to mind, at least paid, even free. The “official site” postscript does not save the situation, and the phrase “free download”, popular among beginners, on the contrary only helps to get to a fake site. Yandex's wonderful ranking algorithms, which are being improved every day, help suspicious sites climb higher. And as practice shows, an inexperienced user usually presses the first search result, trusting the best domestic search engine.

And a little more about Direct. The service allows you to target ads on various grounds. For example, show it only to residents of the Kirov region of males aged 25 to 45 years. This is convenient for honest advertising, say, a power tool store. Or you can only show it to users of Internet Explorer. The latter are usually associated with inexperienced PC users, so you can pay more for such a “teapot”: the advertising link in the example below crawls out even higher than the official website. This request was made in Internet Explorer, in an alternative browser the ad unit does not appear here.

upd3 Let's check the theory with targeting: we go under * nix, and all paid advertising for the same requests went away - these users will definitely waste the cost of the click.

What to do with this information? Limit the rights of accounts on relatives' computers, and explain that no one should be trusted.

And the question is for Yandex, if this text reaches him: are you going to somehow solve this problem?
The mass character of the problem is confirmed by the statistics of the wordstat.yandex.ru requests: for each of the keywords, thousands and tens of thousands of monthly requests.

upd Originally praised by Google, but corrected me in the comments. Google does the same thing (the installed banner cut hid these results).

upd4 In the comments there was a response from a Yandex representative:

!

, . , , .

-, , . . : . .

, . , . , — .

Secondly, as the author correctly noted, Yandex checks such ads. Not only manually, but also with the use of our technologies in the field of antifraud. Actually, in the comments we already noticed that in none of the examples there is an unequivocal verdict on the harmfulness of any scanners and databases. We also checked these examples just in case. There are no signs of malicious activity there.

In general, everything is not so scary. But if you see something suspicious, then you can report it to Yandex support or personally to me - we will check.

Does Yandex help spread malware?

More articles: