Dangerous fake KMS activation websites

ghost commented 4 months ago

Prerequisites

[X] This is NOT a YouTube, Facebook, Twitch or a shortener/hosting site report. These sites MUST be reported by clicking their respective links.
[X] I read and understand the policy about what is a valid filter issue.
[X] I verified that this issue is not a duplicate. (Search here to find out.)
[X] I did not remove any of the default filter lists, or I have verified that the issue was not caused by removing any of the default lists.
[X] I did not enable additional filter lists, or I have verified that the issue still occurs without enabling additional filter lists.
[X] I do not have custom filters/rules, or I have verified that the issue still occurs without custom filters/rules.
[X] I am not using uBlock Origin along with other content blockers.
[X] I have verified that the web browser's built-in content blocker/tracking protection, network wide/DNS blocking, or my VPN is not causing the issue.
[X] I have verified that other extensions are not causing the issue.
[X] If this is about a breakage or detection, I have verified that it is caused by uBlock Origin and isn't a site issue.
[ ] I did not answer truthfully to ALL the above checkboxes.

URL(s) where the issue occurs.

kms-full.com
kmspico.ws
kmspico.io

Description

These websites deceives users into downloading malware by making them believe they are installing a legitimate Windows activator.

Other extensions used

none

Screenshot(s)

Configuration

Details

```yaml ```

MasterKia commented 4 months ago

https://github.com/uBlockOrigin/uAssets/issues/24193#issue-2364500987

JobcenterTycoon commented 4 months ago

Most files are detected as a "HackTool" on virustotal.

ghost commented 4 months ago

I also found yasir-252.net, which appears to be more malicious than yasir252.com.

MIOGMIOG commented 4 months ago

(This comment will be talking primarly about KMSpico, but it applies to 99% of other windows/office "activators" as well) Hello, this is kinda like fitgirl repacks situation, where there are many fake websites pretending to be the original. (but KMSpico doesn’t have any website in the first place, the original is a forum post from 2013 on Mydigitallife forums), so I suggest adding wildcard filters, that can be added to Badware risks filter (not just for kmspico, but for other fake activator websites) (there is also malwarebytes blog post about fake kmspico websites if someone is interested I guess: https://www.threatdown.com/blog/kmspico-explained-no-kms-is-not-kill-microsoft/)

uBlockOrigin / uAssets