Flash-based rogue AV targets users
The business of pushing rogue AV software onto unsuspecting users is quite lucrative, so it’s no wonder that cyber crooks are still doing it.
But while most of the time users are saddled with scareware through drive-by exploits, every now and then the crooks still count on them to download the malware themselves.
In a recently discovered spam email campaign promoting fake AV, the links in the messages take users to one of over 300 compromised domains. Once users lands on the page, a JavaScript message warning about a “critical process activity” prepares them for a fake scan which immediately starts “running”.
“The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes,” say the researchers. “Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names).”
Users are then offered the option of removing all the found malware, but if they choose not to, they are bombarded with warnings about an imminent system crash and urged to change their decision.
If they do choose to remove the malware, they are offered a “Windows Risk Minimizer” for downloading and, once run, the fake solution does seem pretty legitimate. It also runs a scan and, unsurprisingly, finds that the system is overrun with malware.
If the users still fail to proceed to buy a subscription for the solution and simply close the window, the fake AV will constantly annoy them with pop-up warnings and balloon messages saying that a program has been blocked from stealing their data, that identity theft is in process, or even tries to scare them with prosecution:
Of course, it claims that all these problems can be solved by simply buying a lifetime subscription and support for the fake AV. To do that, they only have to shell out $99,90.
Users are advised to regularly update their OS, browser and AV solution in order to minimize the risk of getting infected with this or other kinds of malware.