Fake AntiVirus Mimics Real AV Products: Kaspersky

Cyber criminals behind fake antivirus software are getting much better nowadays at copying the look and feel of legitimate antivirus products, Kaspersky Lab has warned.

This is making it harder for victims to tell whether they are being scammed or not.

Mimicking Genuine AV

A fake antivirus website was found specially designed to mimic the interface for antivirus products from Kaspersky Lab, Symantec’s Norton and Avira, Dmitry Bestuzhev, an antivirus researcher at Kaspersky Lab, wrote on the SecureList blog 29 November. The initial infection was triggered by a dropper Trojan that downloaded onto the user’s computer the fake screen that closely resembled legitimate software.

In the past, rogue antivirus products were fake screenshots taken from a generic template. “These fakes didn’t claim to find any infections – the victim was simply ripped off after paying for a useless product,” said Bestuzhev. A recent version observed by Kaspersky Lab simulates the actual scanning process on the victim’s PC, he said.

Kaspersky Lab researchers noted at the beginning of the month a “substantial decrease” in the number of fake antivirus programs since earlier this year. There were 10,000 daily attempts to infect users with fake antivirus, down dramatically from the 50,000 to 60,000 daily attempts back in June, according to Vyacheslav Zakorzhevsky, a senior malware analyst in Kaspersky Lab’s heuristic detection group.

However, lately there appears to have been a resurgence of fake AV links, according to McAfee.

The legitimate-looking scareware is a big problem during the holiday shopping season as fake AV is one of the most common and dangerous Internet threats, McAfee said. Users are being warned to be on the lookout for scams and fake deals and instructed to download and update security software. A user trying to be proactive may not realize he or she is downloading a fake tool that does nothing to protect the machine.

Zakorzhevsky also noted how some versions of fake software mention cloud protection, “apparently trying to take advantage of a fashionable new concept.” Many security vendors have recently updated their antivirus and security suite to include a cloud element where suspicious software is scanned in the cloud, and malware developers are pretending to have similar capabilities.

Phishing Campaigns

In addition, Kaspersky Lab recently warned of a phishing campaign that pushes an “Antivirus & Security Complete Antivirus Protection Solution.” The scammers did a “good job,” sending out an email that looked like an official Kaspersky email with a URL that looked like it could come from Kaspersky Lab, according to Maria Namestnikova, a senior spam analyst for the content filtering group at Kaspersky Lab.

Victims who clicked on the link in the mail were directed to a website that instructed them to enter credit card details and email address in order to buy the Kaspersky product.

Namestnikova and Zakorzhevsky warned users to “proceed with caution” if prompted with notifications about “Windows errors” or “system infections” and recommended users go directly to the vendor site to buy security software instead of clicking on links.

The FBI has estimated losses caused by scareware at over $150 million (£96m). Zakorzhevsky has seen deals on underground forums where cyber-criminals invite others to become distributors and earn $25 (£16) for every scareware that is installed and paid for. The distributor receives a little over a third of the total price paid by the victim, and the rest of the money goes to the scammers actually running the operation, he said.