Sophos Cloud OptixA Javascript online threat scanner? Ok, not really, just another scam we have been seeing in recent weeks, which I took a closer look at over the weekend.
A while back, I analysed all of the malicious Troj/Unif-B threats we were seeing, to identify the purpose of the malicious scripts [1]. I found that about half of the malicious scripts were being used to infect victims with one of a handful pieces of malware. Last week, I saw Unif-B being put to a different purpose – scamming money out of victims by displaying fake security messages. The attack is described below.
1. Redirection.
When the victim browses a web page compromised with Troj/Unif-B, they are redirected to the site of the rogue security product.
2. Attention!
A script running on the scamware site then alerts the victim to a potential problem.
But fear not:
3. System “scan”.
The fake system scan then starts.
Non-Windows users may get suspicious at this point, when seeing Win32-specific threats being “identified”. Closer inspection reveals a lot of repetition in the malicious items found. Taking a look at the Javascript on the scamware page reveals why:
The script loops through this array to make the system scan appear realistic:
4. The hit.
The rest of the scam is as you might expect. The scan finishes, identifying numerous threats, and the user is ‘encouraged’ to spend money for removing them.
Readers that believe the the GUI of Doctor Antivirus 2008, to be familiar, you are right. Zoe blogged about something very similar before.
These sort of scams have been growing in popularity in recent months. The notorious Zlob family used this sort of trick 2 years or so ago – clearly the technique is lucrative. Digging around further, I have found numerous other sites hosting similar scams. For example, Wista Antivirus which uses an array of filenames to make the online scan appear genuine (snipped for clarity):
Shows what can be done with a bit of Javascript and CSS – just a shame the skills are not being put to some better, legitimate use.