Today we saw a hockey statistics website that had been compromised - it was redirecting via several hops to a fake anti-virus site detected as Mal/FakeAvJs-A, and was popping up the following message (click to enlarge):
If you do go for their free scan, surprise surprise it finds malware on your computer. In fact there's a config file on the site, telling you exactly what malware it's going to find, and where:
If you're further inclined to download their "product", you'd find we already detect it as Mal/FakeAV-I.
This wasn't the only site we saw compromised like this today, the others pointing to the exact same fake anti-virus website after a number of hops, as if somebody had recently flicked a switch and set a number of websites redirecting in this manner.
Interestingly you don't get redirected if you go to the site directly - it's only if you're redirected from another site (for example Google or Yahoo!) that you get sent to the fake anti-virus site. By checking the referrer string, they're clearly trying to make it difficult for people who have the site bookmarked (for example the site admin) to realise that there's a problem and fix it.