We are seeing the criminals behind fake anti-virus continuing to customize their social engineering attacks to be more believable to users and presumably more successful.
Last week I wrote about fake Firefox malware warnings leading users to rogue security software. This week they’ve started to imitate Microsoft Update.
The page is nearly an exact replica of the real Microsoft Update page with one major exception… It only comes up when surfing from Firefox on Windows. The real Microsoft Update requires Internet Explorer.
The same site was also hosting the traditional Windows XP explorer scanner we have seen for years, as well as a new Windows 7 scanner.
Similar to spam messages that have corrected their grammar and use correct imagery and CSS, the attackers selling fake anti-virus are getting more professional.
They use high quality graphics and are using information from our UserAgent strings that are sent by the browser to customize your malware experience.
Just like visiting your bank you should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.
12 comments on “Fake anti-virus cloaks itself to appear to be Microsoft Update”
That really doesn't look like the update page on my comp. Somewhat close but not close enough to fool me. Can see where someone not paying attention might get snagged. I'm pretty sure my update page will not open on its own either. Mine tells me when updates are downloaded when I go to shut it off not unless I manually run the page looking for updates. Does MS actually have an updates page online anymore? I'm on Win 7 and it seems to be only based on my OS and not the web like my XP desktop did.
I'm confused as to what happens in the case of Automatic Updates? Are these best avoided now? – and done manually instead?
I had one of these pop up using a warning that was cloaked to operate with my current OS (Windows 7) but when I tried to close it, It still took me to the site anyway which looked cleverly disguised to look like a Windows XP scan. I quickly Task Ended it and shut the process down. I then went into Internet Explorer, CLEAR OUT ALL COOKIES and TEMPORARY FILES and turned on Pop-Up Blocker. Problem has not occured since.
Hahaha! That's what you get when you use Firefox!
Oh yes Bulbous, because we all know how secure Internet Explorer and Chrome are don't we (
Actually, in the case of Chrome….yes, I believe we do. In comparison, Exploder's security strikes me as more along the lines of, um, an interesting concept. 🙂
Chrome's speed and stability are another matter altogether. Chrome for Mac is a treat, even under Lion, is a real delight while Chrome for Vista has been going through a rough patch.
and so what ? What should we do if it occured ?
This news seems uncomplete :/
You said “The real Microsoft Update requires Internet Explorer.”.
This is not true.
I use FF and I can get the MS updates because I have IE Tab installed.
Besides like someone has already mentioned the screen shot i close but no cigar.
IE Tab is still IE as it uses the Internet Explorer engine within a Firefox frame.
Doubt everyone, trust no one. That is the best advice for dealing with this sort of stuff. And if in doubt, send a copy of the email to the security group of the company you think is being spoofed. In any case, this is exactly why I only run Windows inside a virtual machine running on an enterprise Linux system. I just roll the system back to the last snapshot if it gets infected.
You could just spoof your User Agent string (easiest to do in Firefox with an add-on), however, that will also prevent legitimate sites from displaying properly.
Best thing to do is to enable your browser's security to block attack sites and report them when you see one.
For Firefox, enable the "Block reported attack sites" and "Block reported web forgeries" features.
Report attack sites and web forgery in Firefox using "Help -> Report Web Forgery…" (or "Help -> This isn't a web forgery…" in older versions). In Firefox 4, you may need to click the "Firefox" button in the upper left corner first (if you don't have the menu bar visible).
For Internet Explorer, turn on the "SmartScreen Filter" in Internet Explorer 9 and Internet Explorer 8 (or "Phishing Filter" in Internet Explorer 7) for the similar protection.
To report phishing Web site, follow the instructions in this support article (the steps are similar for Internet Explorer 9):
Then all you do is report websites like these (see information above) so that everyone else that don't realize it is a fake won't get caught with this fake anti-virus software.
If you want to see what a reported attack site or web forgery looks like in Firefox (if you have the correct options enabled), see here:
I always enjoy getting the "Microsoft" security warnings when I'm running Linux. LOL