Scam Page

Discussion about the AutoHotkey Foundation and this website
User avatar
nnnik
Posts: 4500
Joined: 30 Sep 2013, 01:01
Location: Germany

Scam Page

20 Dec 2019, 08:22

A scam page at autohotkey.fr is impersonating our AutoHotkey.com website.
It will download and install malware.
It seems to target players of a specific MMORPG but it might be more.
More information will follow - for now please avoid the site and warn people to not visit the site.
Recommends AHK Studio
User avatar
SyntaxTerror
Posts: 45
Joined: 23 May 2017, 12:55

Re: Scam Page

12 Jan 2020, 09:10

As for now, the website has been suspended.
User avatar
joedf
Posts: 8940
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: Scam Page

13 Jan 2020, 10:41

Thats good to hear :+1:
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
DRocks
Posts: 565
Joined: 08 May 2018, 10:20

Re: Scam Page

17 Jan 2020, 16:44

recently, I've been redirected to this page a few times.
Can't access forums without getting the gotcha.js page
gregster
Posts: 8920
Joined: 30 Sep 2013, 06:48

Re: Scam Page

17 Jan 2020, 17:14

DRocks wrote:
17 Jan 2020, 16:44
recently, I've been redirected to this page a few times.
To the (now suspended) scam page autohotkey.fr ? Redirected from where?
DRocks wrote:
17 Jan 2020, 16:44
Can't access forums without getting the gotcha.js page
You might want to expand on that... I am not sure what gotcha.js page refers to (well, the admins might know perhaps). Or do you mean captchas?
User avatar
joedf
Posts: 8940
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: Scam Page

17 Jan 2020, 18:19

I don't know :b
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
DRocks
Posts: 565
Joined: 08 May 2018, 10:20

Re: Scam Page

17 Jan 2020, 20:51

Sorry guys, I mean that - just by clicking the same google bookmark for autohotkey.com which lands normally on the home page - it happens that when I click on the forum link I will get a JavaScript message in a blank webpage.
Its gotcha.js script and it says that a scam page is trying to redirect me to a fake .fr site.
But Im using that same autohotkey.com bookmark for 2 years so I suppose its not on my side?

Btw, that gotcha.js page is the reason I came to this thread. The link to this is in the page and its the only way I can get back on the forums.
gregster
Posts: 8920
Joined: 30 Sep 2013, 06:48

Re: Scam Page

17 Jan 2020, 21:12

Never heard of it, never seen it, can't reproduce it. Why would you be redirected by autohotkey.com to the fake, now defunct fr-website and at the same time be warned ?
We never knew of this website before someone made us aware of it, afaik, and consequently reported it to get it taken down.

I guess, the gotcha page might get created by the the fr-site's domain provider who has taken it down after we reported it, for people who would still get there via a redirect... 🤷‍♂️ Any information there about the message's origin ? Does it say something about LWS.fr (which would be the involved domain provider) ?

The fake site's forums sections seems to have silently redirected to our forums - but perhaps still under the fr-address (possibly "just" providing compromised AHK downloads) ... so perhaps your bookmark was always corrupt :eh: (I don't know how long this scam was going on).
Btw, since when is this happening? If it started recently, around the time the page was taken down, it would make sense that you suddenly wouldn't be redirected to our forums anymore by using a fake bookmark. Which URL is in the bookmark's properties?

Anyway, what you are describing, sounds highly suspicious. In your position, I would thoroughly check my computer for malware.
Perhaps your bookmark (or browser or whatever) was altered by malicious software... something is not right, I am sure.
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Scam Page

18 Jan 2020, 11:24

Ill double check everything tonight
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
DRocks
Posts: 565
Joined: 08 May 2018, 10:20

Re: Scam Page

18 Jan 2020, 14:33

I'm not able to reproduce here at my home copmputer but it happenned at work 2 times this week (using a shared bookmark on my google account which is logged in at home and at work too)

The url is exactly : https://autohotkey.com/boards/
In fact, I used this exact bookmark to reply to you right now and all was good as it usually is.

I ran malwarebytes maybe at the beginning of the week at work and there was nothing found. Not a eprfect thing but atleeast it covers most possible malwares
gregster
Posts: 8920
Joined: 30 Sep 2013, 06:48

Re: Scam Page

18 Jan 2020, 19:25

That's odd. But possibly tank can spot something.
User avatar
haichen
Posts: 631
Joined: 09 Feb 2014, 08:24

Re: Scam Page

19 Jan 2020, 07:52

I bookmarked https://autohotkey.com/boards/ a long time ago. It never led me anywhere else. I usually use the link several times a day.
DRocks
Posts: 565
Joined: 08 May 2018, 10:20

Re: Scam Page

20 Jan 2020, 10:16

It just happened when I got to work now:

Chrome Bookmark = same as before and same as at my home = https://autohotkey.com/boards/

resulting page = https://www.autohotkey.com/boards/assets/javascript/gotcha.js
content =
var msg = "Dear visitor. This domain autohotkey.fr is trying to trick you. The official domain is autohotkey.com.\n\n";
alert(msg );
//location.href = "https://www.autohotkey.com/boards/viewtopic.php?f=2&t=70926"

The computer I am usin g at work is connected to a network with our 4 work computers, otherwise everything is a windows 10 usual setup. No wierd antivirus or firewall that I know of, and nothing else than windows defender is visible. Malwarebytes reports nothing wrong
gregster
Posts: 8920
Joined: 30 Sep 2013, 06:48

Re: Scam Page

20 Jan 2020, 12:54

I see. I think that page is or was meant to prevent scammy redirections to (or from ?) the .fr-website.

Why this would trigger in your case, I am not sure. I still haven't seen this page in the wild. Now that the fr-domain is blocked by the provider, it's perhaps not relevant anymore. That might be a question for our admins.

Perhaps it's a cache or proxy issue that you still see it.
SOTE
Posts: 1426
Joined: 15 Jun 2015, 06:21

Re: Scam Page

21 Jan 2020, 03:46

DRocks wrote:
20 Jan 2020, 10:16
It just happened when I got to work now:

Chrome Bookmark = same as before and same as at my home = https://autohotkey.com/boards/

resulting page = https://www.autohotkey.com/boards/assets/javascript/gotcha.js
content =
var msg = "Dear visitor. This domain autohotkey.fr is trying to trick you. The official domain is autohotkey.com.\n\n";
alert(msg );
//location.href = "https://www.autohotkey.com/boards/viewtopic.php?f=2&t=70926"

The computer I am usin g at work is connected to a network with our 4 work computers, otherwise everything is a windows 10 usual setup. No wierd antivirus or firewall that I know of, and nothing else than windows defender is visible. Malwarebytes reports nothing wrong
Maybe you need to flush the DNS cache of your computer, then see if things work properly.
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Scam Page

21 Jan 2020, 07:18

Ill fix this today
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
DRocks
Posts: 565
Joined: 08 May 2018, 10:20

Re: Scam Page

21 Jan 2020, 09:33

tank wrote:
21 Jan 2020, 07:18
Ill fix this today
Thanks guys have a great day
User avatar
tank
Posts: 3122
Joined: 28 Sep 2013, 22:15
Location: CarrolltonTX
Contact:

Re: Scam Page

22 Jan 2020, 12:55

try clearing your cache and let me know if this still occurs
We are troubled on every side‚ yet not distressed; we are perplexed‚
but not in despair; Persecuted‚ but not forsaken; cast down‚ but not destroyed;
Telegram is the best way to reach me
https://t.me/ttnnkkrr
If you have forum suggestions please submit a
Check Out WebWriter
DRocks
Posts: 565
Joined: 08 May 2018, 10:20

Re: Scam Page

22 Jan 2020, 15:46

tank wrote:
22 Jan 2020, 12:55
try clearing your cache and let me know if this still occurs
I just did and it fixes it :)

Return to “About This Community”

Who is online

Users browsing this forum: No registered users and 87 guests