It’s all a masquerade!

Earlier this week the security folks at Google posted an interesting blog entry, illustrating the top 10 malware sites seen recently. Included in that list are some domains which attempt to cloak their dubious nature by using similar names to Google themselves. This is a common trick [2], but one that I suspect does actually succeed in fooling many users.

This kind of trick is absolutely commonplace nowadays. For example, over the past few days we have been seeing numerous sites getting hit with malicious code that redirects them to a site that was registered only last week. The site in question uses a domain name that plays on the Google brand, and they even have the cheek to load one of the genuine logos from the Google site (if a little out of date now!).

Unlucky victims who browse one of the compromised web pages, and load content from this site, will get hit with malware. Sophos customers will be protected from malicious code, compromised pages being detected as Mal/Iframe-F.

Another example of simple deception being used to trick victims into infecting themselves or losing money (or at the very least, installing software from a potentially dubious source) cropped up only this morning. A potentially malicious installer was brought to my attention. Closer inspection showed it to be a start page Trojan (Troj/StartP-BY), changing Internet Explorer and Firefox defaults to point to what appears to be some suspicious search portal.

Digging deeper, I found many other related installation files being offered from a whole variety of legitimate looking websites.

In some cases, the installer changes the browser settings, in others the software installed appears entirely legitimate (though I would recommend only installing such software from the trusted vendor, not via some third party site). For some of the sites, the installers prompt the user in what appears to be an attempt to dupe them into paying for the download (in this case a supposed Windows XP SP3 update!):

The plot thickens.

I also found more of the suspicious looking search portals (several of them quite recently registered, since April 2009).

A viper’s nest indeed. Just another illustration of how the social engineering tactics of those looking to exploit, infect or simply dupe the end user for their own gains are pretty much relentless.