Beware: Photoshop Stalkers

by Fred Showker

Photoshop Madness

BEWARE STALKERS - DO NOT CLICKThis is a sad story. Sad, because sooner or later -- just for a few pennies -- the internet profiteers and cyber criminals are going to ruin it for everyone else. Now, not only are the Photoshop Tutorial replicator sites loading up with screen spam, stalker links, and layer after layer of roll-over blink ads and pop-unders -- something else is going on!

I was putting together next month's "Photoshop Madness" column, and this tutorial was one on my list to check. When I arrived, to my chagrin, it asks : "Are You A Human" ??? The overlay prevented my entry into the site until you had played a game ... like I wanted to play a game. I can't believe it. Obviously these are not really Photoshop people - nor anti-spam people, they've defamed BOTH in the name of a few pieces of gold.

I originally had clicked on a link at the Photoshop Roadmap site. Of course they probably don't check their links that well, or I'm thinking they would have nixed this one. (Although, a frequent scam by replicator site and domainer profiteers is to first launch a site in a popular genre, then after sufficient popularity and incoming links --SWITCH it to a 100% affiliate site, parked page or spam site so all traffic will generate income. They then replicate the original site under a new domain with new graphics, and start over. Thus the name "replicator" sites.)

Anyway, it went to Photoshop Roadmap's replicator affiliate site called Photoshop Mosaic. The link promised: "Oil painting photo effect - this tutorial will show you how to turn a photo into oil painting effect and put a collapse text into your artwork." So, I said okay, thinking this would be a good one to link to for Photoshop Madness. Boy was I fooled.

I arrive at a site called "Photoshop Garden" at Photoshop dash garden dot com. and the screen went darkened. I thought it was just going to be another of those interference ads you can just click "close" and it goes away. Not this time -- the dialog said ...

Are you a bot?

Hmmmmm. Well, since I'm an avid spam/bot fighter for UGN and Safenetting, I knew this is most likely bogus because any self-respecting bot whould have already scooped the code of the site and was busily moving on to the next site. Most people will believe this and click. Not wanting to play the game -- no longer even wanting the tutorial -- this thing had my curiosity, so I decided to click the HELP button.

malware link

Now, I've got'em pegged. "Complete a free survey" is one of the oldest come-ons on the internet. But it said complete the survey to prove I'm not a bot and the widget would be removed. There was even a little anti spam button at the bottom, making it look real official. The thing was being driven by "" on of those "Earn money from your website" vendors. It drove several scripts that will trap you until you click their ads -- or some other money-making scheme.

So, I sent it away, and returned to the previous screen, this time to click a link and check out the survey it's talking about. Wrong again. This time, I landed here ...

pop over

The new pop-up was indeed a game site. It briefly whisked through the URL, marking or stalking me, I guess. (Click above for the full look at the screen as this is happening.)

So, this dialog appeared saying I couldn't run the game because my computer doesn't have the resources. I know that's not correct since I'm running a TWO gigahertz processer with TWO gigs of ram -- this was probably another roadblock. But why all the roadblocks. OH NO...

Peeking behind the game site I see the original site has gone into an activity timer. Knowing how the malware and the cybercrime industry operate, I knew this could possibly mean something sneaky is going on in the background. Sure enough, a peek at the Mac's processing map, I see the CPU running wild as it would if something or someone is scanning the hard drive for information, or attempting to download something to the hard drive. Time to leave.

Locked from exiting

EXIT DENIED : This could mean trouble. Upon clicking the "leave" or "close" button, this dialog sprung up, all while the activities were still running in the background. Notice a cleverly written plea to keep my browser open on this site. What did they really want from me??? Why do they want this window left open??? Clicking cancel returned me to the progress bar -- and then back into the loop again. I quit the browser to release myself from this trap.

I checked the drive and found a number of files had been accessed -- none of which held any thing to do what so ever with the browser or the internet or Photoshop -- nor with any personal info. I never use auto-fill, or any other automated means of IDs and passwords, or charge-card numbers, so there's really nothing on the drive to steal. But it sure was looking hard for something. Likewise, since I'm on a Mac, there were no successful downloads or exe files present, and I did not get an OS alert for the owner key. Whew. I know I was tagged -- there were 16 new cookies from the likes of DoubleClick, and several from the "" people. But then again, as a spam tracker, I'm tagged all over the world. Except my cookies are flushed each time I launch the browser.

After some deeper research, I discover the domain registered in a masked account. This is a third party domain "service" who hides the identity of the owner of the site to elude detection -- yet another ploy used by spammers, cybercriminals and terrorists. Note the IP address assigned to this domain : = [ ] It's an IP Range Reserved by*, meaning a hijacked IP address, yet another classic symptom of cybercrime activities.

Dear readers : I only go to all this trouble to protect YOU, my readers. Since the Photoshop page is the most popular page in the site, you are obviously looking for Photoshop content. You'll probably be surfing Photoshop Roadmap, PS Tuts, Photoshop Mosaic and many of the others too.

BE CAREFUL. Particularly if you're on a Windows operating system, the above scenario is classic maleware and cybercrime symptoms. They stall you with the promise of something while they're scooping out your identity or loading malware onto your computer in the background.

If you do not land where you expected, or your landing is intercepted by some other action --- GET OUT OF THERE QUICK. Quit the browser if you have to.

Help fight cyber crime by buying, showing and giving away the Don't Click buttons DO NOT CLICK : and as always, do not click on ANY link, email or browser, unless you are very confident and you know where you are going. ALWAYS be weary of any pop-under windows - those that appear behind the window you are browsing. 9 Billion dollars in losses last year due to phishing and malware. Don't become a statistic for this year.

thanks for reading

Fred Showker

Don't forget ... we encourage you to share your discoveries about favorite or famous graphic designers and illustrators with other readers. Just contact me, and/or join the forums

30th Anniversary for DTG Magazine