Fake Online AV Scanner Installs Fake AV

Today, SophosLabs witnessed a bogus website with a fake online AntiAdware scanner. When the website is accessed, it executes embedded javascript within the webpage. This script will cause the victim’s computer to display a fake progress bar pretending to scan the victim’s computer. After some time, a warning popup message appears and alerts the victim’s computer that it was infected by several spyware and viruses. It subsequently provides a link for the victim which when clicked will initiate a file download named Setup.exe. This file is malicious and is detected by SophosLabs as Troj/FakeAV-ABD. Access to the website has also been blocked in the Sophos Web Appliance.

Moreover, the website was able to change interface and language depending on your IP address. Here is the example:

In the past few months SophosLabs has highlighted several different tricks [2,4] exploited by FakeAV to encourage the users to purchase the products. However, this bogus Online AntiAdware Scanner is a new variation of the same theme. Users should be aware against online scammers especially those which are not affiliated to a known anti-virus/security software company. Also to avoid becoming a victim, never download any file from websites that you are not familiar.