AutoHotkey Community

A scam page at autohotkey.fr is impersonating our AutoHotkey.com website.
It will download and install malware.
It seems to target players of a specific MMORPG but it might be more.
More information will follow - for now please avoid the site and warn people to not visit the site.

https://safebrowsing.google.com/safebrowsing/report_badware/?hl=en
https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

As for now, the website has been suspended.

Thats good to hear

recently, I've been redirected to this page a few times.
Can't access forums without getting the gotcha.js page

DRocks wrote: ↑

17 Jan 2020, 16:44

recently, I've been redirected to this page a few times.

To the (now suspended) scam page autohotkey.fr ? Redirected from where?

DRocks wrote: ↑

17 Jan 2020, 16:44

Can't access forums without getting the gotcha.js page

You might want to expand on that... I am not sure what gotcha.js page refers to (well, the admins might know perhaps). Or do you mean captchas?

I don't know :b

Sorry guys, I mean that - just by clicking the same google bookmark for autohotkey.com which lands normally on the home page - it happens that when I click on the forum link I will get a JavaScript message in a blank webpage.
Its gotcha.js script and it says that a scam page is trying to redirect me to a fake .fr site.
But Im using that same autohotkey.com bookmark for 2 years so I suppose its not on my side?

Btw, that gotcha.js page is the reason I came to this thread. The link to this is in the page and its the only way I can get back on the forums.

Never heard of it, never seen it, can't reproduce it. Why would you be redirected by autohotkey.com to the fake, now defunct fr-website and at the same time be warned ?
We never knew of this website before someone made us aware of it, afaik, and consequently reported it to get it taken down.

I guess, the gotcha page might get created by the the fr-site's domain provider who has taken it down after we reported it, for people who would still get there via a redirect... Any information there about the message's origin ? Does it say something about LWS.fr (which would be the involved domain provider) ?

The fake site's forums sections seems to have silently redirected to our forums - but perhaps still under the fr-address (possibly "just" providing compromised AHK downloads) ... so perhaps your bookmark was always corrupt (I don't know how long this scam was going on).
Btw, since when is this happening? If it started recently, around the time the page was taken down, it would make sense that you suddenly wouldn't be redirected to our forums anymore by using a fake bookmark. Which URL is in the bookmark's properties?

Anyway, what you are describing, sounds highly suspicious. In your position, I would thoroughly check my computer for malware.
Perhaps your bookmark (or browser or whatever) was altered by malicious software... something is not right, I am sure.

Ill double check everything tonight

I'm not able to reproduce here at my home copmputer but it happenned at work 2 times this week (using a shared bookmark on my google account which is logged in at home and at work too)

The url is exactly : https://autohotkey.com/boards/
In fact, I used this exact bookmark to reply to you right now and all was good as it usually is.

I ran malwarebytes maybe at the beginning of the week at work and there was nothing found. Not a eprfect thing but atleeast it covers most possible malwares

That's odd. But possibly tank can spot something.

I bookmarked https://autohotkey.com/boards/ a long time ago. It never led me anywhere else. I usually use the link several times a day.

It just happened when I got to work now:

Chrome Bookmark = same as before and same as at my home = https://autohotkey.com/boards/

resulting page = https://www.autohotkey.com/boards/assets/javascript/gotcha.js
content =

var msg = "Dear visitor. This domain autohotkey.fr is trying to trick you. The official domain is autohotkey.com.\n\n";
alert(msg );
//location.href = "https://www.autohotkey.com/boards/viewtopic.php?f=2&t=70926"

The computer I am usin g at work is connected to a network with our 4 work computers, otherwise everything is a windows 10 usual setup. No wierd antivirus or firewall that I know of, and nothing else than windows defender is visible. Malwarebytes reports nothing wrong

I see. I think that page is or was meant to prevent scammy redirections to (or from ?) the .fr-website.

Why this would trigger in your case, I am not sure. I still haven't seen this page in the wild. Now that the fr-domain is blocked by the provider, it's perhaps not relevant anymore. That might be a question for our admins.

Perhaps it's a cache or proxy issue that you still see it.

DRocks wrote: ↑

20 Jan 2020, 10:16

It just happened when I got to work now:

Chrome Bookmark = same as before and same as at my home = https://autohotkey.com/boards/

resulting page = https://www.autohotkey.com/boards/assets/javascript/gotcha.js
content =

var msg = "Dear visitor. This domain autohotkey.fr is trying to trick you. The official domain is autohotkey.com.\n\n";
alert(msg );
//location.href = "https://www.autohotkey.com/boards/viewtopic.php?f=2&t=70926"

The computer I am usin g at work is connected to a network with our 4 work computers, otherwise everything is a windows 10 usual setup. No wierd antivirus or firewall that I know of, and nothing else than windows defender is visible. Malwarebytes reports nothing wrong

Maybe you need to flush the DNS cache of your computer, then see if things work properly.

Ill fix this today

tank wrote: ↑

21 Jan 2020, 07:18

Ill fix this today

Thanks guys have a great day

try clearing your cache and let me know if this still occurs

tank wrote: ↑

22 Jan 2020, 12:55

try clearing your cache and let me know if this still occurs

I just did and it fixes it