Fake Microsoft Security Scam

Posted on April 30, 2013 by gmilbourne

By Roy Tobin

Recently we have seen an increase in fake Microsoft scams, which function by tricking people into thinking that their PC is infected. With these types of scams there are a number of things to remember.

1.       Microsoft will never call you telling you that your PC is infected
2.       Never allow strangers to connect to your PC
3.       Do not give any credit card info to somebody claiming to be from Microsoft
4.       If in doubt, shut down your PC and call Webroot

The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that location of the web site will be a random string of letters.

More details: Continue reading →

’30 Rock’ Phrase ‘Circulus et Pruna’ Draws Fakealerts

Posted on March 30, 2010 by glhaldeman

By Andrew Brandt

Liz Lemon should be livid. Jack would be damned angry…in a quiet, repressed sort of way.

The rogue antivirus goons have taken on 30 Rock, the NBC meta-sitcom about the internal workings of a sketch comedy show.

In a subplot from last week’s episode (which I will recap for those who may have missed it), Alec Baldwin’s character teams up with one of the writing team to prank the rest of the writers. The two form a secret society named the Silver Panthers, and when the prank is successfully sprung on the unsuspecting writers, Baldwin’s character Jack begins to walk out of the room, but pauses, turns back to the victims, and ominously utters the (we assume) Silver Panther motto: “Circulus et Pruna.”

Latin scholars (who, I’m sure, are all ardent 30 Rock fans) probably chuckled when they heard Baldwin’s character utter the nonsense phrase “circle and (burning) charcoal (ember).” Or is it circle and plum? Meanwhile, the rest of us were left scratching our heads and wondering what the hell does that mean?

And so, turning to the font of all worldly knowledge, many Googled the phrase and may have been surprised to find that not one, not a few, but every search result on the first page (and most of the second page of results) led to a Fakealert trap that tries to force victims into downloading and running the installer for a Rogue Antivirus product.

The scoundrels.

It’s actually kind of an astonishing feat, as well as a horrific example of the current state of search results. When you consider that few, if any, outside Tina Fey’s production team had heard the phrase Circulus et Pruna uttered prior to last Thursday night at 9:30 (8:30 central), one has to wonder how the purveyors of these rogue antivirus products managed to wrest such total control of a nonsense Latin phrase from the world’s largest and (in theory) most comprehensive Internet search engine — mere moments after those words were spoken on television.
Continue reading →

Fakealerts Invade Google Image Search Results for ’24′ Star

Posted on January 27, 2010 by glhaldeman

By Andrew Brandt

Searchers beware: Those photos of celebrities or funny cat pictures that turn up in your Google image search results might not be photos at all, but fake antivirus alerts. Evidence appears to indicate that a similar scam to one we blogged about last November may be working its way up the Google food chain into other forms of search results.

While searching for photos of Annie Wersching, an actress who recently joined the cast of the TV show 24, we stumbled into one of these javascript-enabled fakealert browser traps. Oddly enough, when you click one of these bogus linked pictures in the Image Search results frame, the original Google search frame remains at the top of the page. The fakealert runs in the lower part of the page, closing the Google search pane but retaining the Google URL in the browser’s Address Bar.

Throughout the day we’ve been looking for links such as these; Each malicious URL we found funnels the browser into the same fakealert, which itself leads to the same rogue antivirus product. Each time we revisited the site, we ended up with what was essentially the same equally nasty rogue antivirus application, sometimes in a different skin, sometimes with a different name. Early in the day we were pulling down something called Total Security. By the afternoon, the tool’s name had morphed to become Security Tool.

The rogue’s behavior on an infected system is obnoxious in the extreme. It hides the desktop by covering everything over with its own wallpaper, and blocks your ability to right-click the desktop, so it’s more difficult to revert the desktop’s appearance by changing your Display Properties settings. It also disables the scroll wheel on the mouse, then blames that behavior on a massive infection it claims has taken over your PC. It prohibits most Internet-capable applications, or even tools like the Task Manager, from running, in the guise of its “firewall” component. Of course, it’s all smoke and mirrors, an attempt to convince you to spend from $50 to $90 on completely ineffective, utterly useless former-Soviet snake oil.

Continue reading →

Fakealerts: Building a Better Mousetrap

Posted on November 25, 2009 by glhaldeman

By Andrew Brandt

In general, the use of fakealerts – those bogus warnings that look like your PC has started some sort of antivirus scan on its own, then predict imminent doom if you don’t buy some snake oil product right this minute — is on the rise. Fakealerts constitute a particularly effective social engineering trick, earning the makers of bogus, ineffective “antivirus” programs millions of dollars (and the scorn of victims) in the process. So it should come as no surprise that the fakealerts themselves have gone through some technological advances in the past year.

In the past few months, the fakealert-makers have slowly been migrating their techniques to a new platform: The browser. As recently as six months ago, the majority of fakealerts we saw were generated by small Trojan Horse applications running on a victim’s PC. Today, most fakealerts we see simply reshape the browser to mimic the appearance of a generic antivirus application.

It makes good economic sense for the creators of fakealerts to do this. The Windows application fakealerts only run on Windows (obviously). Like all Windows software, fakealert apps subject to being blocked by both the operating system (which, like the fakealerts themselves, prompts users with warnings in dialog boxes), by real-time detection mechanisms in legitimate antivirus software, and/or by savvy users themselves.

One typical load-sequence for the components of a scripted fakealert

Using a scripting technology such as Javascript to reproduce the “fakealert experience” is a natural extension of the success of fraudulent, rogue antivirus products. After all, a fakealert is no more than an elaborate performance for the targeted victim — the goal of the fakealert is simply to convince the victim to download and run a file, typically a rogue antivirus product. Javascript can run in virtually every browser and operating system (save for special cases, like the Firefox browser with the NoScript Add-On installed).

Scripts such as these bypass most traditional malware protection because, in essence, there is no malware installed until the victim installs it his- or herself. Unlike a static binary executable, the contents of a script can be tweaked, on the fly, to maximize effectiveness (or just to change the name of the fraudulent product). And the scripts themselves which make up the Web fakealert experience are highly obfuscated, which makes them more challenging for automated systems to block.

In the course of researching a new malware sample unrelated to fakealerts — an installer of Trojan-Downloader-Dermo on a page purportedly offering an update to Windows Media Player — I observed one common fakealert script as it ran soon after the testbed PC was infected. I was able to reconstruct its modus operandi.

Continue reading →

Rogues Mug Big Bird on his Birthday

Posted on November 4, 2009 by glhaldeman

By Andrew Brandt

In a move sure to raise the ire of Sesame Street fans everywhere, the black hat SEO gangs that have been manipulating Google results for the better part of the year have seized on a new target from which they’ve launched their current salvo of rogue antivirus guano. That’s right, the lovable, giant jaundiced avian friend to child and adult alike is being used to hijack searches and rope unsuspecting users into a vortex of popups and fake scans.

They have besmirched Big Bird. And on his birthday, of all days. Have the rogue AV purveyors no shame?

Actually, they’ve just once again demonstrated that they, too, can take advantage of Google Trends, which rates the ‘hotness’ of searches for “Big Bird’s Birthday” today as “Volcanic.” It’s not surprising, really. Big Bird’s legs replaced the “L” in the Google logo this morning (in honor of the 40th anniversary of the popular character’s first Sesame Street appearance). So of course, people are clicking away at those feathered gams, trying to find out why they’re there.

The fake alerts touting the equally fake Internet Antivirus Pro warns users, through a series of browser popup alerts, that (like a fine strip of beef destined for the jerky factory) “your computer…need to be cured as soon as possible.”

The same advice we’ve given in the past prevails. Parents, also take note that you shouldn’t necessarily click — or let your kid(s) click — any old link that purports to lead to something child-friendly. The first link we saw appeared as the seventh search result on the first page of Google results. Many more appeared lower down. The text beneath the malicious result link read, in part, “Make your child s big day extra special with a personalized birthday banner!”

Continue reading →

Roman Polanski Arrest Spawns Headline-Hooking Rogues

Posted on September 28, 2009 by glhaldeman

By Andrew Brandt and Brenden Vaughan

As we’ve seen for the past several months, a celebrity ended up the top news story, which started a cascade of malware distributors racing to get their driveby pages to the top of search results. Today’s victim/subject is Roman Polanski, the renowned film director arrested on decades old charges of statutory rape. This kind of gossipy, tabloid headline is like candy for rogue antivirus distributors.

We began our search the minute we found out the news, and yes, within about half an hour of the story breaking, the pages began appearing in the search results on various engines. While some of the malicious pages were linked to search terms based on the name of the director, many also reference his victim, Samantha Geimer. The results redirect you into a fake virus scan page, which in turn leads you to a download of Windows PC Defender, a known rogue in the same vein as Antivirus 2010 and the other scam fantivirus tools so popular among Web criminals this year. Trojan-IM.Win32.Faker, indeed.

Not only does this rogue pretend to be an anti-malware tool, but it throws a monkey wrench into almost any existing protection, adding Image File Execution Options registry keys that prevent nearly all legitimate free and commercial antimalware tools from running. It also drops a Hosts file which prevents infected computers from contacting 12 payment processing domains associated with Antivirus 2010, and redirects all Google (including nearly 200 international Google domains), Yahoo, MSN, and Bing search results through a server belonging to search-gala.com, whose IP address is geolocated to an ISP in Brampton, Ontario, Canada (go Timberwolves!).

Not content to be a single-solution product, Windows PC Defender is a full faux-suite, offering completely fictitious desktop firewall results as well as antivirus. The rogue uses a modified copy of a free tool called Multi Password Recovery to extract your Windows license and display it in the firewall “alert,” presumably to raise the anxiety level of person who sees the “warning” message. The warning claims that “your computer is making an unauthorized personal data transfer” to an IP address assigned to NASA, which is currently not in use. Because everyone knows NASA wants your Windows license key, for, you know, space missions. amirite? Could an imaginary anti-phishing toolbar be around the corner? Who knows what’s next for these enterprising, though predictable, con artists.

Not to be outdone, distributors of black market drugs began using Twitter to spread ads as well, with an under-140-character tagline promising juicy Polanski-arrest news. We’ll keep an eye on the situation, but it’s probably best to steer clear of links to unfamiliar sites, especially those promising revealing or “previously undisclosed” pictures, movies, or other such nonsense.

One Click, and the Exploit Kit’s Got You

Posted on September 18, 2009 by glhaldeman

By Andrew Brandt

After all the brouhaha surrounding the NYTimes.com website hosting ads which spawned rogue antivirus Fakealerts last weekend, I spent a considerable amount of time looking at so-called exploit kits this week. These are packages, made up of custom made Web pages (typically coded in the PHP scripting language), which perform a linchpin activity for malware distributors. Namely, they deliver the infection to the victim, using the most effective methods, based on parameters which help identify particular vulnerabilities in the victim’s browser, operating system, or applications.

There’s no indication that an exploit kit was used by the attackers in the NYTimes.com incident, but it easily could have gone that way. All an exploit kit needs in order to begin the process of foisting an infection is for a potential victim to visit its specially crafted Web page. The end result is what we call a drive-by download.

According to reports, the code injected into the Times website’s ad calls simply spawned another browser window, which in turn displayed fake alert and virus scan results messages. It wasn’t even a website hack; the site’s ad sales department were fooled into accepting a paid advertisement containing the code.

This time, that browser window was used to trick the site’s visitors into executing, and eventually buying, the rogue product. It could have been far worse.

After spending a day investigating a relatively new package, which calls itself (with a total lack of irony) the Liberty Exploit System, it’s easy to see how something like what was done on the Times website could have led news enthusiasts down a much deeper, scarier rabbit hole.

Continue reading →

Rogues Impersonate Google, Firefox Security Alerts

Posted on August 7, 2009 by glhaldeman

By Andrew Brandt

In the past week, we’ve begun to see new fakealerts — those disturbingly effective, entirely bogus “virus warning” messages — that appear to impersonate the appearance and text of legitimate warning dialogs you might see while surfing with the Firefox browser, or searching Google. The dialog, in a stern, red dialog box on a gray background, reads “Warning! Visiting this site may harm your computer!” — a dialog that appears to be designed to evoke the look of a Google’s Safe Browsing advisory as displayed in Firefox.

Cast as a kind of split between a warning message and a clickwrap agreement, the text of the dialog box reads “This web site probably contains malicious software program, which can cause damage to your computer or perform actions without your permission. Your computer may be infected after visiting such web site. We recommend you to install (or activate) antivirus security software.”

At the bottom of the dialog box, two buttons, labeled “Continue Unprotected” and “Get security software” are preceded by the sentence “I do realize that visiting this site can cause harm to my computer.” I’d give them points for honesty, but I’d rather not give them points for anything.

Nothing happens when you click the “Continue Unprotected” button, and I’ll give you one guess what happens next when you click the “Get security software” button.

Continue reading →

Jackson/Fawcett Malware is Extortion-ware

Posted on June 26, 2009 by glhaldeman

By Andrew Brandt

As I reported yesterday, searches for information about the deaths of Michael Jackson or Farrah Fawcett were turning up links to malware. This came as no surprise to anyone, though the speed with which the links spread was astonishing: Within minutes of the first confirmation that Jackson had succumbed to a heart attack, the first malicious blog posts began popping up in search results. We’re continuing to monitor hundreds of malicious sites touting news of Jackson’s demise — and new malicious blogs are coming up as fast as the blog services can shut them off.

The first site we encountered that referenced Jackson appeared to be a personal blog post hosted on Google’s own Blogspot service. However, we quickly determined that something wasn’t right with the post. Just visiting the page spawned a tornado of background and foreground browser activity — over 100 URLs, mostly called from ad-host Yieldmanager by an automated script hosted elsewhere, were pulled down in just the first three seconds after the page loaded; The list grew to 500 URLs by the time 32 seconds had elapsed.

To illustrate the speed that the scripts embedded in the malicious blog post were loading ads, I captured this short video, which shows the amount of activity in about 60 seconds of permitting the page to load. I can only guess that the volume of URLs was limited by the fact that I had to click through some dialog boxes that appeared during the test. Another interesting thing is that between the time I began the video and the time it ended, Google had terminated the malicious blog account — for the moment, at least. The last page to load in the video is a Google ’404′ error message when I attempted to load the initial page a second time.

Some of the sites loaded by these malicious scripts also used browser exploits to damage the test system.

Continue reading →

Drive-by Downloads Still Pack a Punch – If You Click

Posted on June 24, 2009 by glhaldeman

By Andrew Brandt

In the course of surfing around, looking for ways to get infected, I stumbled upon a site that offers visitors downloads of key generators, cracks, and other ways to circumvent the process used by most legitimate software companies to prevent people who didn’t pay for the software from registering or using it.

And of course, I stumbled into a morass of malware.

Well, “stumbled” isn’t entirely accurate. The site is well-known to us as a host of drive-by downloads — it’s a site that uses browser exploits to infect your computer. But I went there anyway just to see what they’re driving-by with these days. Technically, the site didn’t burn us — it came from an advertising network, which loaded a script that bounced to three separate machines before landing my test PC in the hot seat. Cold comfort if your PC happens to get slammed with this junk.

Continue reading →

Webroot Threat Blog – Internet Security Threat Updates from Around the World

WEBROOT – INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS

Tag Archives: fakealert

Rogues Impersonate Google, Firefox Security Alerts

Drive-by Downloads Still Pack a Punch – If You Click

Follow “Webroot Threat Blog - Internet Security Threat Updates from Around the World”

WEBROOT – INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Tell your friends:

Like this:

Follow “Webroot Threat Blog - Internet Security Threat Updates from Around the World”