FakeAV peddlers targeting computer professionals
Malware peddlers have a general preference for compromising legitimate sites in order to distribute their malicious wares.
Sometimes it is easier to compromise an already existing site that making a new one – not to mention the fact that legitimate sites are usually better positioned in searches than brand new ones and that their compromise might go unnoticed for a longer time.
But in the example brought forth by a TrendLabs engineer, the criminals have seemingly chosen the wrong targets.
Trying to unpack an obfuscated JavaScript from a malicious .PDF file, he asked Google for a JavaScript unpacker tool. On the very first page, he was offered malicious links:
When he followed them, he was faced with a typical FakeAV warning about how his computer might be at risk of malware attacks, and that a threat has been detected.
This kind of SEO poisoning technique has often been used by malware pushers, but this time seems just like poor judgement on their side – JavaScript unpackers are typically used by security professionals, and what are the odds of any of them falling for this old trick?