Is a pop-up ad from optimize-app.com a new type of attack?

Yesterday, while reading an article in Pulse on my iPad, I was interrupted by a pop-up ad (below), seemingly from optimize-app.com. The pop-up was modal, blocking all use of Pulse. I turned on airplane mode (just in case), clicked the OK button and the pop-up disappeared without trying to load another web page. A few minutes later, the pop-up re-appeared.

optimize.app_.popup_.crop_.jpg

The first optimize-app.com interruption came while using the web browser in Pulse to display an article at the Ars Technica website. The second time I was using Safari to view a page at CNET.com. Safari had many open tabs, so I suppose its possible the popup originated from any one of them. As with Pulse, the pop-up ad blocked Safari completely, I could not even switch tabs until pressing the OK button. 

Later in the day, the same pop-up appeared while viewing yet another website in Safari.

Despite appearances, the ad did not come from optimize-app.com.

I use a free service from OpenDNS in my router that lets me block domains. The service also generates reports, and a check of all the activity for the day turned up no references to optimize-app.com by any computing device connected to the router. 

So why the decoy? That is, why does the pop-up look like it came from optimize-app.com when it did not?  

My guess is that the true purpose of the pop-up ad is to prod victims into on-line searches. A Google search for "optimize-app.com" returns very interesting results. The search results could well qualify as an attack. 

They include page after page with advice about removing optimize-app.com. This despite the fact that I searched for just the domain name, not for removal advice. 

The nature of the search results are immediately obvious to anyone using the free browser plugin WOT (Web of Trust). I have used WOT for years and have come to depend on it and trust it. 

Note: WOT is not available on iOS.

The search results were unlike any I have seen before. Page after page of bad websites.

WOT offers what they call "reputation ratings". Websites are rated good (green), bad (red), be cautious (yellow) or totally unknown (gray question mark).WOT ratings can't be perfect, of course, but in my experience they have been spot on almost every time.

When visiting a site with a WOT enabled browser, the rating appears as a circle on the address bar. More useful however, are the ratings that appear in search engine results, before you visit a site. In the screen shot below, the WOT ratings are the colored circles on the far right. 

optimizeapp_search.results497.gif

Google searches normally produce results chock full of green rated websites. For example, the first twenty results of a search for "George" includes 19 safe/green sites and one unknown site.

A search for "optimize-app.com" however produces the exact opposite (sample above). Page after page of results were rated bad, unknown or unsatisfactory. The game had been rigged. Very few known safe websites had anything to say about optimize-app.com.

On top of this, the first search result from a known safe website could well be bogus. The site was norton.com but the page was part of their community forum. Rather than offering advice from Symantec, the suggestion there is from an unknown person. 

Perhaps this is a scam is to get people to pay for malware/virus removal. Perhaps the goal is to trick people into downloading malicious software. Some of the suggestions involve editing the Windows registry, so perhaps someone is out to trick people into bricking their computers. Or, the goal could be to make a commission selling legitimate antivirus software. 

The pop-up ad could well be innocuous, but attempting to eliminate it could be dangerous. 

If this is a scam, it was done on the cheap, many of the search results are free Blogger websites. 

Lending further credence to the theory that the search engine results are the attack, is the optimize-app.com website. It barely exists. Anyone wanting more information about it is thus bound to do a search. 

Visiting optimize-app.com (no WWW) returns a page not found error (below). 

optimizeapp.homepage404_0.jpg

Visiting www.optimize-app.com returns what appears to be the default page produced by a new installation of web server software. 

optimizeapp.homepage497.gif

Search for optimize-app.com on Bing and the result is "We would like to show you a description here but the site won’t allow us."

The domain was created about a month ago and was registered at GoDaddy for a single year, an investment of less than $10. 

I have not examined the search results in great detail, that's best left to malware experts. Still, it's no surprise that the search results were aimed at Windows users. Nothing offered virus removal for iOS :-) 

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.