deviantArt (or dA) is one of a number of popular sites for artists and creatives to share and connect with like-minded people. Art, photos, and tuts (short for “tutorials”) are regularly shared here. A short time ago, the website has started to sport a new logo and layout. dA will also be launching a mobile app for Android and iOS devices.

The site also has its share of online threats. In 2012, our very own Chris Boyd found a XSS (cross-site scripting) phishing run and fake software served on it. In 2013, Boyd found spam links being shared on the site that lead to various other sites.

Recently, we have found accounts created on dA that were about 1-2 weeks old spamming links of downloadable electronic books. Doing a simple search for downloadable PDF within the site shows these spammy posts:

scraps-resultsclick to enlarge

Below is a screenshot of a sample post:

Screenshot of dA spam postclick to enlarge

These posts are all categorized by the profiles under dA’s Scraps, and they contain links purporting to lead to azlibrary(dot)net, a site hosted in Germany and registered less than 3 months ago. Clicking the links, however, lead to a survey scam:

This slideshow requires JavaScript.

When one visits the aforementioned dot-net site, users are presented with a button to register. Clicking it also leads to the exact survey scam page. Let’s look at this for a while.

Below is the screenshot of gripnode(dot)co:

The gripnode dot co default page

We checked the hash of the file served on it and found that it’s a PUP. Malwarebytes Antivirus detects it as PUP.Optional.OutBrowse.

Here’s a list of just some of the spammy account names on dA we’ve seen:

  • mariastevens
  • yvoneart
  • zoombzz

Although that artists and creatives normally don’t share legitimate ebook links on dA to their followers, there are some who do. Be wary when visiting links on dA or anywhere else online.

Jovi Umawing