Does the 7-Zip author still refuse to digitally sign or even provide hashes of the official downloads? It's an extremely weird flex, he thinks it's a frivolous waste of time or something.
Yes, and I think this case gets somewhat more notoriety because the phishing site has the .com domain and the legitimate one has a .org.
Like it or not, .com adds perceived trustworthiness and works as a branding signal, especially in these times of VCs throwing large amounts of money at branding and buying 3 to 6 letter .com domains, but a small project like 7zip cannot afford that kind of expense.
The .com site serving malware aside, it's how people even get to downloading this. PC builder [...], USB stick [...], YouTube tutorial for a new build [...] instructed to download. Makes me wonder, is this how "PC builders" build PCs, or was this a regular user person. Archive managers are such basic software that I'd think surely someone would keep a stash of (trusted) installer files for the basic tools to be installed in a new environment. At least that's what we used to do, like, 25 years ago. Or use choco, winget or whatever. Malware hygiene habits remain almost unchanged - don't click that link.
It says the code signing cert has been revoked by now.
How does verification work? Only at installation time or will it prevent running the installed files later if installation happened when the cert was still accepted?
As a Linux user, used to get all of my software either through the distro's repository or Flathub, having to download software from sites when I run Windows makes me feel really queasy.
The only solutions for the malicious domain would be lawsuits or hactivism. As others have said it is blocked in uBlock by default which everyone should be using at a bare minimum.
20 comments
[ 4.0 ms ] story [ 51.3 ms ] threadLookalike websites serving malware have always existed. So this isn't exactly news. But the browsers are blocking them like they should.
Like it or not, .com adds perceived trustworthiness and works as a branding signal, especially in these times of VCs throwing large amounts of money at branding and buying 3 to 6 letter .com domains, but a small project like 7zip cannot afford that kind of expense.
Did they change it because of the negative publicity (Reddit) and will probably change back soon to the malware links?
An article from 2018:
https://www.bleepingcomputer.com/news/security/fake-websites...
And uBlock Origin's "Badware" filter blocks it:
https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
How does verification work? Only at installation time or will it prevent running the installed files later if installation happened when the cert was still accepted?
Linux user asking out of curiousity...