RSS Alerts
Scareware writers use fake security alerts to lure their victims.

Related Links

Related Stories

  • New trojan causes problems for Google AdSense advertisers
    A nasty new trojan that triggers multiple click-throughs on Google AdSense - the pay-per-click sponsored web search service operated by Google - has been discovered by SecureWorks.
  • SQL injection attack leads to command execution
    SQL injection will take a new turn later this month at Black Hat Europe, when a security researcher shows how to take control of a database server using the technique.
  • Phishing sites hacked into via Google
    Phishing sites are mainly legitimate web sites that are being hacked via 'evil' web searches, reveals a report by a trans-Atlantic team of researchers.
  • More details emerge on Kaspersky hack
    As more details of the Kaspersky web site hack came to light yesterday, the same hacking forum posted details of a similar SQL injection attack, this time on a Portugese reseller for anti-malware firm BitDefender.
  • FTC Pursues Alleged Scareware Firms
    The Federal Trade Commission has filed a complaint against two companies that it says operate 'scareware' scams that have scammed users into buying their software.

News

Fake anti-virus team exploits September 11 anniversary

13 September 2009

Online scams related to holidays, global events, and popular news stories are common, but September 11 scammers really scraped the bottom of the moral barrel last week. Scareware scammers are using the eighth anniversary of the September 11 attacks to sell their fake anti-virus software to unsuspecting users.

Reports from several anti-malware vendors indicated that the FakeAV scareware team had used various websites, stuffed with keywords relating to the World Trade Center attacks, to lure users who had found them in Google search results to download fake anti-virus programmes that in fact are malware.

When visited, Sophos's Graham Cluley said that the scripts on the fake anti-malware site checked the identity of the referrer. If the visitor came from a Google search page, then the malicious webpage would present a fake anti-virus scan window to try and persuade the visitor that their PC had been infected by malware. It would then ask them to purchase the fake anti-virus product developed by the FakeAV team.

"Sometimes the hackers create brand new webpages (using newly registered domains), filling them with content that they hope will make them more popular in search engine results," Cluley said in a blog post.

However, many of the websites were legitimate ones that had been hacked and filled with 9/11-relevant keywords. Many URLs scanning services tend to trust well-established sites more than ones that have been recently created, which is why online criminals find it useful to compromise existing websites.

In its own blog post, Trend Micro advised people to rely on well-known news sites for links to web pages dealing with current events, rather than relying on search results that may have been poisoned.

However, the problem with that is that online news services are known to have been compromised in the past. BusinessWeek was hit by an SQL injection attacks a year ago, for example, and CNN has been victim to cross-site scripting attacks. CNET Asia has also been victim to SQL injection campaigns.

"TROJ_FAKEAV.BOH may arrive on the system as Scanner-7c545a_2031.exe from several malicious websites that can all be found in the poisoned Google search results," said Trend Micro threat response engineer Jessa De La Torre.

 

This article is featured in:
Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water