I discovered today two counterfeit balenaEtcher websites. One may have been used to distribute malware, while the other probably only making ad revenue linking back to github (in order not to boost their ranking, I will be posting screenshots and redacting direct links)
First offender: etcher [dot] net
The website uses screenshots from balenaEtcher:
At the time of writing, this website is the 8th result when searching “etcher” on Google.
Following download links redirects to this page:
Then this page (
https://freewareuploads [dot] xyz/file/etcher-setup.php):
This last page doesn’t result in any download, but probably used to, based on this user post on the forums:
This website seems to have started around September 2020 based on Wordpress uploads urls (
https://www.etcher [dot] net/wp-content/uploads/2020/09/Etcher.jpg'), and started circulating in October 2020 based on this Reddit thread and the Internet Archive: Wayback Machine
The domain is registered with Namecheap since July 2020:
Second offender: etcher [dot] download
This website ranks 7th when searching “etcher” on Google.
This website seems to be biggybacking on balenaEtcher’s popularity, using a different approach. They serve ads on the website, but the download section directly links to the Github repository downloads.
This looks less dangerous, but nothing is stopping the owner from linking to their own malware as well. This website also uses Wordpress and the dates look more recent (
https://etcher [dot] download/wp-content/uploads/2020/12/7-1024x665.png)
The domain is also registered with Namecheap since July 2020:
Given that both websites share so many similarities in their design, CMS, registrar and DNS provider, I think it is safe to assume both websites originate to the same individual.
While there is no proof that any of those website used to or will distribute malware, it is still a real possibility, which could harm users as well as balena’s image.
I reported those websites using Google’s safebrowsing report form. Hopefully balena can act on this as well, placing complaints with Namecheap and Cloudflare.
Maybe a phising warning in balenaEtcher, signing the binaries, or even detecting if the software was repackaged during installation?