More FakeAlert trickery

The conveyor belt of fake alert malware has continued apace over recent days. As previously reported [1,2,3], the attackers are using a variety of tricks and social engineering in order to infect victims.

In contrast to other malware, where the attackers only need to infect victims, fake alert malware requires a second step to be successful. For the attackers to make money, the victim has to be duped into actually paying to register the product.

This is ordinarily achieved by a neverending cascade of system tray alerts and popup warning messages, all intended to scare the user into paying up. However, recently I noticed some of this malware delivering other quite nasty social engineering tricks.

For example, when infected with ‘Antivirus 2009’ (variants of which are being proactively detected as Mal/EncPk-CZ), when attempting to access the Microsoft web site:


Or when viewing the Sophos web site:


When accessing Google, the user is presented with a particularly realistic warning:


The latter warning is the most cunning of the tricks that I have observed thus far. I suspect it is sufficiently believable to fool many users.