Google ‘malware’ sponsored advert delivers fake anti-virus

“Be careful what you ask for – you might get it.”

 

That’s the thought running through my head today after I searched for the word “malware” on Google.

 

As you’ll see in the following short YouTube video I made, a sponsored link right at the top of the Google search results points to a fake anti-virus website posing as a legitimate security company:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

 

If you download the fake anti-virus program promoted on the website you risk infection by malware identified by Sophos as Troj/FakeAV-AOV.

 

 

Read More…

 

Danger! Fake $50 iTunes certificate carries malware

 

 

Amid all the usual attacks posing as delivery notices from DHL and FedEx this morning, I spotted some malware that had been spammed out posing as an Apple iTunes certificate for $50.

 

The emails read as follows:

Subject: Thank you for buying iTunes Gift Certificate!
From: "iTunes Online Store" <software@itunes.com>
Attached file: iTunes_certificate_997.zip

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

 

Running the attached malware can infect Windows computers. Clearly the hackers are hoping that in your excitement about receiving a $50 iTunes gift certificate that you will throw caution to the wind and open the attachment.

 

Sophos detects the malware, contained inside a ZIP file, as Troj/BredoZp-AM andMal/FakeAV-BW.

 

 

By Graham Cluley, Sophos

 

Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware

 

 

 

 

 

Read more

Scareware hackers exploit McAfee false positive problem

Hackers are exploiting a problem with McAfee’s anti-virus product that has caused hundreds of thousands of computers around the world to repeatedly reboot themselves.

 

The New York Times (and many other news outlets) have reportedon the problems businesses suffered after a detection update issued by McAfee yesterday caused its anti-virus product to mistakenly detect a harmless Windows file, svchost.exe, as “W32/Wecorl.a” and caused computers to become inoperable.

 

To its credit, McAfee is discussing the problem on its online community forum, has apologised, withdrawn the buggy update, and advised customers on how to manually fix the affected computers.

 

But what might be making McAfee’s job of getting reliable information about the false positive problem out to the masses that much harder is that malicious hackers are exploiting the situation.

 

By using blackhat SEO techniques, cybercriminals have managed to get poisoned webpages high in the search rankings if you hunt for information on the McAfee false positive.

If you click on a dangerous link like this then you risk the chance of your computer being hit by a fake anti-virus attack (also known as scareware) which may attempt to con you out of your credit card details or trick you into install malicious code onto your computer.

 

Sophos detects the malware proactively as Mal/FakeAV-BW.

 

The last thing you want to happen if you’re searching for advice on how to fix a problem with the other computers in your company.

 

And it’s not just McAfee’s false alarm problem that these hackers are exploiting. Looking a little deeper at the poisoned domains, allows us to view a cache of hundreds of other pages that this gang have created around a wide range of topics.

Be careful out there folks..

 

 

* Image source: peasap’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

 

“Please attention!” fake DHL delivery emails contain malware

It’s another day, which means (almost inevitably) there’s another malicious email campaign carrying a fake anti-virus attack.

 

Once again the bad guys are packaging their attack in an email which claims to come from DHL Delivery Services.

 

A typical email, which has the subject line “Please attention!”, reads as follows:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

Attached to the email is a file called label.zip, which Sophos detects as Troj/FakeAV-BEG. Even though there is some peculiar wording (and spelling) in the email it’s possible that some unwary users might fall into the hacker’s trap, and open the malicious attachment.

 

We are seeing many reports of this attack in our global network of traps right now.

If you receive one of these emails, don’t open the attached file as you could be putting your computer at risk of infection and allowing hackers to compromised your PC.

 

By Graham Cluley, Sophos

 

Account notification email warning? Don’t follow the instructions

If you’re returning to an overflowing inbox after the Easter holiday weekend, make sure that you don’t fall for the latest scam being distributed widely by spammers.

 

Emails claiming that recipient’s accounts have been temporarily suspended are being seen around the world today, attempting to trick users into believing that their email account has been accessed by somebody else.

 

The spammed-out emails try to hoodwink users into running the attached file (Instructions.zip) which is, predictably, carrying a malicious payload.

Dear Customer,

This e-mail was send by example.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

(C) example.com

 

In an attempt to make the email more convincing, the attackers reference the domain name (for instance, example.com) used by the recipients’ email account in the emails they are spamming out.

 

Sophos detects the malicious attachment proactively as Mal/FakeAV-BT and Mal/BredoZp-B, but users of security products from other vendors would be wise to ensure that they are properly updated and protected.

 

The hackers are once again using a tried-and-trusted social engineering trick (in this case trying to fool you into believing that your account has been compromised) to lure you into the serious mistake of opening the attached file.

 

Wiser computer users should have learnt by now that you should always be extremely suspicious of unsolicited attachments.

 

 

By Graham Cluley, Sophos

 

Related Blogs

Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware

Submited By Diego
 

 

 

 

Read more

Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware

 

 

 

 

 

Read more

Facebook Password Reset Confirmation emails carry malware

Today I received an email about  Facebook Password Reset Confirmation email with subject :

 

"The Facebook Team" <service@facebook.com>

 

 

and it tells me my facebook password changed for safety reason then they wants me to download the attached document to see the new password and the attachment (Facebook_document_145.zip) it content a virus called :

 

• Mal/FakeAV-BW [Sophos]
• Suspect-1B!E4800A5BF6F6 [McAfee]
• Not Detected  [Kaspersky Lab]
• Not Detected  [Microsoft]

its an EXE file with DOC icon .

 

Be careful with these kind of emails and don’t run any attachments that you don’t trust.

 

To Download the removal tool : (ClickHere)

 

Hackers exploit Oscar film awards to spread scareware

 

Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.

 

Internet users searching for phrases like

Oscars 2010 winners

 

may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.

 

By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.

 

As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.

 

Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.

 

As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.

 

Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.

 

Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.

 

By Graham Cluley, Sophos

Next Page »