On Friday evening I was talking to a North American customer who had been fighting with infections caused by SEO poisoning. They mentioned a particular search term that could generate new samples of FakeAVs. The funny thing was that the website hacked by the SEO poisoner was a blog of someone trying to promote legitimate business use of SEO technologies..
If you click on any of the links returned by the search you would be redirected to an Indian site containing this image:
After allowing scripts on an unprotected/filtered machine I quickly saw the pop up:
Eventually, you will be prompted to download an executable
>>> Virus 'Troj/FakeAV-AYU' found in file packupdate_build9_195.exe
The Indian websites are actually detected as malware:
>>> Virus 'Mal/FakeAvJs-A' found in file Security Threat Analysis.html
For those customer who don't have a Sophos web security appliance or don't use IE there is hope. Sophos will soon be opening a beta for Endpoint Security and Control 9.5 which includes "Live Web protection for fixed and mobile endpoints, blocking access to malicious URLs". To register for this Beta or find out more about the Beta Program follow this link.