Gamers beware! Crooks take advantage of MSI download outage


by Paul Ducklin

Well-known computer gaming hardware vendor MSI is warning of fake download sites ripping off its brand.

The company doesn’t just sell high-end graphics cards and gaming rigs, it also offers a free software product called Afterburner that it trumpets as “the gold standard of overclocking utilities.”

Overclocking is how enthusiasts describe the act of squeezing maximum performance out of their hardware by running it up to, at or even beyond the limits usually recommended by the component manufacturers.

For example, you might decide to run your processor faster than usual so it can perform calculations more quickly.

But that might cause it to overheat and shut down, so you might then try tweaking the operating voltage slightly to adjust the current draw and reduce the heating effect.

Then you might ramp up the speed of the fan to improve cooling, or any of a number of trial-and-error tweaks in a edgy combination to eke out the best performance you can get without crashing the computer.

You can see why an overclocking tool that is not only endorsed by a hardware vendor but also developed and supplied by that vendor is a must-have for any avid gamer…

…but just right now, MSI’s “Afterburner Software download link is currently closed due to routine maintenance,” according to the company’s warning.

We verified the outage by visiting the download page: the [Download Afterburner] button is still there, but it doesn’t do anything. [2021-05-13T22:15Z]

The HTML behind the button doesn’t specify any download link, so clicking the button confusingly makes it look as though the site is broken rather than merely offline for maintenance.

According to MSI, a gang of cybercrooks stepped in to fill the temporary download vaccuum, setting up a fake site that looked like an alternative download location, but serving up malware instead of the real deal:

MSI is informing the public of a malicious software being disguised as the official MSI Afterburner software. The malicious software is being unlawfully hosted on a suspicious website impersonating as MSI’s official website with the domain name [afterburner-msi DOT space]. MSI has no relation with this website or the aforementioned domain.

The good news is that when we last checked [2021-05-13T22:25Z], the malicious server named above was offline and therefore didn’t pose any immediate risk.

The bad news, of course, is that the crooks could easily move to another site, where over-keen gaming enthusiasts might encounter the same (or other) malware offered under similar false pretenses.

The other bad news is that MSI hasn’t yet put a warning on the download page itself, which is what we would have done: we’d have replaced the dud-and-dysfunctional download button with a warning not to go hunting on third-party websites for alternative sources of the download.

Impetuous users might go searching elsewhere even in the face of a clear explanation of the situation, but well-informed users almost certainly wouldn’t.

What to do?

This is a timely reminder of the risks associated with trawling the internet to find unofficial versions of software that you can’t get directly from the usual source.

Even if you’re not a software pirate who’s explicitly looking for an “unofficial” (read: unlawful) download of software that isn’t free, it’s tempting to go “off market” when the vendor’s own website isn’t working.

The problem, of course, is that unofficial download sources are just that: unofficial.

Even if an unofficial installer isn’t overtly malicious, it could nevertheless include some added “secret sauce“, such as an unwanted browser plugin or an advertising addon that the vendor’s own download doesn’t have.

Or you might be tempted to sidestep the temporary unavailability of a paid software product by using a cracked version instead.

It’s not legal to use pirated software, but it might feel morally acceptable (or, perhaps, not entirely unacceptable) to use a cracked version of a software package temporarily if you have paid for a licence, but can’t lay your hands on a legitimate installer just at the moment.

For an eye-opening description of what can go wrong if you decide to cut cybersecurty corners by trusting software that you shouldn’t, read the fascinating article MTR in Real Time: Pirates pave way for Ryuk ransomware on our sister site Sophos News.

Our advice is simple:

  • If you’re in a hurry and can’t get hold of software that you really need, don’t go snooping around where angels fear to tread. If it’s that important and it’s a work computer, speak to your IT department instead of trying to go it alone.
  • If you’re in a hurry and can’t get hold of software that you’d really like, consider waiting until is is available and managing without it until then.

In a recent SophosLabs report, we noted that the DarkSide ransomware gang (the crooks behind the recent Colonial Pipeline attack, along with many others), spend anywhere from just over six weeks (44 days) to just under three months (88 days) inside their victim’s networks, watching, waiting, planning and finally unleashing each attack.

If the crooks can show that kind of patience while they line up all the malicious components they need to destroy your network…

…we think it’s worth having a bit of patience yourself so that you don’t accidentally give those very same crooks a helping hand.

One last thing

While we’re here: if you find yourself in MSI’s position, with a download site that’s offline, please don’t leave a broken download button behind on your download page and publish a warning somewhere else.

Put the explanation and the warning right there on the download page itself, because a little bit of clarity goes an awful long way!

Read more here: