Scareware hackers exploit McAfee false positive problem

Scary ghosts
Hackers are exploiting a problem with McAfee’s anti-virus product that has caused hundreds of thousands of computers around the world to repeatedly reboot themselves.

The New York Times (and many other news outlets) have reported on the problems businesses suffered after a detection update issued by McAfee yesterday caused its anti-virus product to mistakenly detect a harmless Windows file, svchost.exe, as “W32/Wecorl.a” and caused computers to become inoperable.

To its credit, McAfee is discussing the problem on its online community forum, has apologised, withdrawn the buggy update, and advised customers on how to manually fix the affected computers.

But what might be making McAfee’s job of getting reliable information about the false positive problem out to the masses that much harder is that malicious hackers are exploiting the situation.

By using blackhat SEO techniques, cybercriminals have managed to get poisoned webpages high in the search rankings if you hunt for information on the McAfee false positive.

McAfee false positive problem exploited by hackers

If you click on a dangerous link like this then you risk the chance of your computer being hit by a fake anti-virus attack (also known as scareware) which may attempt to con you out of your credit card details or trick you into install malicious code onto your computer.

Sophos detects the malware proactively as Mal/FakeAV-BW.

The last thing you want to happen if you’re searching for advice on how to fix a problem with the other computers in your company.

And it’s not just McAfee’s false alarm problem that these hackers are exploiting. Looking a little deeper at the poisoned domains, allows us to view a cache of hundreds of other pages that this gang have created around a wide range of topics.

SEO poisoning cache

Be careful out there folks..

* Image source: peasap’s Flickr photostream (Creative Commons)