Hi,
I tried to resolve this with Betfred support via the live chat thingy, and they didn't seem bothered and insinuated it was a false positive with my anti-virus software, without taking any details from me about the circumstances and additional steps I've taken to verify that something suspicious is going on and that it's not just an over-zealous anti-virus alert.
There's quite a lot of backstory about a previous PC crash I had, the subsequent rebuild, and a suspicion I had as a result of all this trouble.
To cut a long story short I'd just wiped my Windows 10 PC back to down ground zero as a just in case measure, and what I'd found on Betfred was a result of reinstalling various apps I've used but with a more paranoid approach of scanning each installer thoroughly with heuristics.
As an added measure I also installed a program called hash tool, this allows me to create a SHA-256 hash of any file and create a unique fingerprint.
So after installing the latest version of Malwarebytes, Hash Tool, my usual office apps, etc. everything is going well. I'm scanning each installer before I click them checking signatures, rebooting and testing each app and everything is going well.
Then I decide it's time to install Betfred again, I go to the official Betfred website, click poker, and note the various promotions for new players. Specifically a "£10 for new players!" i-frame which links to the SetupPoker.exe file.
I click it and download the exe.
Before I check it, I close the Chrome Window. Being lazy rather than opening my downloads folder I just open the website again and this time I download the poker client from the Quick Links, Download link
So now in my downloads folder I should have 2 copies of the same file one named SetupPoker.exe and one named SetupPoker(1).exe where chrome has renamed the file because its got the same name.
Here is where it gets spooky, and where by a stroke of luck I notice some weird stuff.
I scanned both, one came up clean, and the other infected!
The file sizes identical.
The signatures same date and time.
The SHA-256 hash? Completely different!
I try again, this time deleting the origial files and downloading them individualy to make sure it's not the renaming of the file causing a different SHA-256 hash. It's not, one is clearly dodgy!
I immediately contacted Betfred support via Live Chat and they were uninterested... and declined to take any details of my findings saying it was a false positive blah blah blah boilerplate etc.
I did some further testing and started getting mixed results, if I right click the bad link (it's a green button that says Free Download) copy the URL and paste it into the address bar, the SetupPoker.exe executeable I get is the clean one, if I click on the same green Free Download button (Javascript?) it appears to go to the same URL but the SetupPoker.exe executeable has a different SHA-256 hash and is detected by Malwarebytes as suspicious.
-----------------------------
DETAILS OF GOOD FILE
To get it:
Open
https://www.betfred.com
Click on poker from the navigation bar at the top.
There is a little box about halfway down that says "£10 for new players!" if you click the green download button you will download the following file that is clean as far as I can tell.
Name: SetupPoker.exe
Size: 1,099,272 bytes
SHA-256 hash: c5105eca9cdadd75f058ea6b8a72dc27896b6352f6ecda1825 7d1feda80899c0
--------------------------
DETAILS OF BAD FILE
To get it:
Open
https://www.betfred.com
Click on poker from the navigation bar at the top.
Ignore the £10 promotion box, and instead scroll down to Quick Links.
Click download.
Click the green button that says "Free Download" you will get the following file, which looks identical right down to the playtech sigs, except this one has a different SHA-256 hash, and gets detected as suspicious/malware by Malwarebytes.
Name: SetupPoker.exe
Size: 1,099,272 bytes
SHA-256 hash: b6fb33252e704539964a78207eb8b8077221df6864636d1426 95bd6b571ce9d6
-----------------------------
Any security/poker security experts that could perhaps shed some light on this?
There seems to be an element of clickjacking going on because if I right click the "Free Download" button this yields the good file. Also if I simply click the same "Free Download" link (without refreshing the page) it downloads the clean file instead, which suggests it's some sort of script redirecting me to the bad file if that makes sense?
If anyone has any questions please fire away, I'd really like for someone else to confirm this for me, as I said Betfred support have been really unhelpful.
Thanks.
Last edited by 2BusyLurking; 12-27-2018 at 02:35 AM.