First result on Edge brought to a shady website.

koiralp · June 14, 2023

I had to install Zotero on a new computer so I just typed zotero and clicked the first link which is [REDACTED]

I just clicked the first download button and tried running it without thinking much. The installer itself didn't do anything (other than opening a window and closing it). For the longest time, I was confused as to why it wasn't installing (and I ran it multiple times as well). But I eventually figured out that it wasn't a legit installer. Heck, it wasn't even a legit site!

While I should probably have done my due diligence, I'm quite angry at Bing for showing a complete unrelated and possibly malicious result. Nonetheless, I wanted to bring this to the community's attention as well. And now that I've clicked the potentially malware-carrying installer multiple times, how worried should I be?

EDIT:
Redacted to not encourage others to visit.

dstillman · June 14, 2023

Honestly, just don't use Bing. This has been an issue on and off with Bing for years, where they've shown spammy links about zotero.org for a search for "zotero". We've never seen it happen with Google. We've reported the sites before, and we'll do the same now, but that's about all we can do.

An ad blocker will also hide results like this on Bing.

No particular advice for you now, though. If you actually downloaded and ran a program from another site, you should definitely worry about what it did to your system.

dstillman · June 15, 2023

I'm a bit confused what you installed, though — I'm not seeing any installers on that site, just some spammy fake news stories.

Do you mean that you clicked the "ZOTERO (free) download Windows version" link under "EXPLORE FURTHER" further down the page? That's certainly not legitimate and not something Bing should be showing, but for me it appears below the official Zotero site, various other sections on the official site, the official download page, and an additional link to the official download page.

koiralp · June 15, 2023

In the [REDACTED] website, there's a download button that redirects to [REDACTED] which downloads the fake installer.

EDIT:
Redacted to not encourage others to visit.

DWL-SDCA · June 15, 2023

Let's not encourage people to visit that site.

I confess that I stole a peek at the site by connecting my iPad through a cellular and VPN (away from my home network). The site served me advert pages with no download button.

edit: Thank you for the redactions

koiralp · June 15, 2023

I redacted the links from my comments to discourage others from visiting. But this is such a big problem to be honest. Considering how most of academics rely on Zotero, this seems like a perfect avenue for Intellectual property theft. And the worst thing is how Microsoft allows it!

I analyzed the binary in VirusTotal.com and it looks like the same file has been used as a Notion installer (presumably similar trick) as well. I begrudgingly have to give props to whoever came up with the idea of pushing paid scam web to popular search engines and phishing with exact look and feel.

dstillman · June 16, 2023

Oh god — so on macOS and Linux that site just serves some spammy links, but on Windows it serves a pixel-perfect copy of the Zotero site with all links rewritten to point to a fake Zotero installer (Zotero-6.0.18_setup.exe). So there's a very good chance that many Windows and Bing users trying to install Zotero are currently installing malware.

We've reported this and the other fake download link on the page, both as trademark violations and as malicious, but Microsoft says it may take them 3–5 days to review reports. Note that anyone can report an ad as malicious, so you should always do so if you see something like this.

Thanks to @koiralp for bringing this to our attention.

dstillman · June 16, 2023

OK, Microsoft took down the ad, and the issuer of the fake installer's code-signing certificate revoked it, which should prevent it from running.