14 DAY TRIAL // While usually cybercriminals prefer to spread pieces of scareware through drive-by exploits, in the latest campaign they turned to spam emails to advertise fake antivirus programs.
Symantec has come across a shady application called Windows Risk Minimizer, which is hosted on over 300 compromised websites to which the links from the malicious emails point to.
In the initial phase of the infection, when the compromised sites are visited, the user is alerted of “critical process activity” by a so-called Windows Secure Kit 2012.
After an OK button is hit, a fake scan starts to detect Worm and Trojan infections that threaten the computer.
The biggest difference between this fake AV and the ones seen previously is that in this case the phony scan is actually a Flash animation that appoints random virus names to random files contained within it.
The next stage represents a summary of the scan which is displayed in a window that’s also highly sophisticated compared to other products. Not only the different infections can be selected and unselected, but also the window can be moved around on the screen.
At this point the victim has two options. He/she can either press the Cancel button, which triggers a confirmation pop-up that further warns of dangers, or the Remove All button.
If the latter is clicked, a professional-looking screen that promotes the Windows Risk Minimizer is presented, continuously warning the user of threats and infections.
By now, the computer has been infected with the piece of scareware and the internaut is constantly bugged with false notifications. The alerts that pop up on the screen inform of Google Chrome infections and accuse the user of breaching the SOPA legislation.
If the mitigation buttons are clicked, the victim is presented with a payment form that requests credit card and other sensitive information.
Users are advised never to trust such software and always ensure that their protection software is up-to-date, since in most cases it will detect these threats and block them from infecting the system.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.