Fake anti-virus cloaks itself to appear to be Microsoft Update

Filed Under: Featured, Firefox, Malware

We are seeing the criminals behind fake anti-virus continuing to customize their social engineering attacks to be more believable to users and presumably more successful.

Last week I wrote about fake Firefox malware warnings leading users to rogue security software. This week they've started to imitate Microsoft Update.

Fake Microsoft Update page. Click for larger version

The page is nearly an exact replica of the real Microsoft Update page with one major exception... It only comes up when surfing from Firefox on Windows. The real Microsoft Update requires Internet Explorer.

The same site was also hosting the traditional Windows XP explorer scanner we have seen for years, as well as a new Windows 7 scanner.

Similar to spam messages that have corrected their grammar and use correct imagery and CSS, the attackers selling fake anti-virus are getting more professional.

They use high quality graphics and are using information from our UserAgent strings that are sent by the browser to customize your malware experience.

Just like visiting your bank you should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.

, , , ,

You might like

12 Responses to Fake anti-virus cloaks itself to appear to be Microsoft Update

  1. Mich071 · 1584 days ago

    That really doesn't look like the update page on my comp. Somewhat close but not close enough to fool me. Can see where someone not paying attention might get snagged. I'm pretty sure my update page will not open on its own either. Mine tells me when updates are downloaded when I go to shut it off not unless I manually run the page looking for updates. Does MS actually have an updates page online anymore? I'm on Win 7 and it seems to be only based on my OS and not the web like my XP desktop did.

  2. Diana · 1584 days ago

    I'm confused as to what happens in the case of Automatic Updates? Are these best avoided now? - and done manually instead?

  3. David · 1584 days ago

    I had one of these pop up using a warning that was cloaked to operate with my current OS (Windows 7) but when I tried to close it, It still took me to the site anyway which looked cleverly disguised to look like a Windows XP scan. I quickly Task Ended it and shut the process down. I then went into Internet Explorer, CLEAR OUT ALL COOKIES and TEMPORARY FILES and turned on Pop-Up Blocker. Problem has not occured since.

  4. Bulbous · 1584 days ago

    Hahaha! That's what you get when you use Firefox!

  5. Stu_ · 1584 days ago

    Oh yes Bulbous, because we all know how secure Internet Explorer and Chrome are don't we (

    • JustaNotherguy · 1584 days ago

      Actually, in the case of Chrome....yes, I believe we do. In comparison, Exploder's security strikes me as more along the lines of, um, an interesting concept. :-)

      Chrome's speed and stability are another matter altogether. Chrome for Mac is a treat, even under Lion, is a real delight while Chrome for Vista has been going through a rough patch.

  6. Olgi · 1583 days ago

    and so what ? What should we do if it occured ?
    This news seems uncomplete :/

  7. Smith · 1582 days ago

    You said "The real Microsoft Update requires Internet Explorer.".
    This is not true.
    I use FF and I can get the MS updates because I have IE Tab installed.

    Besides like someone has already mentioned the screen shot i close but no cigar.

    • Name · 1581 days ago

      IE Tab is still IE as it uses the Internet Explorer engine within a Firefox frame.

  8. Spaceman Spiff · 1580 days ago

    Doubt everyone, trust no one. That is the best advice for dealing with this sort of stuff. And if in doubt, send a copy of the email to the security group of the company you think is being spoofed. In any case, this is exactly why I only run Windows inside a virtual machine running on an enterprise Linux system. I just roll the system back to the last snapshot if it gets infected.

  9. You could just spoof your User Agent string (easiest to do in Firefox with an add-on), however, that will also prevent legitimate sites from displaying properly.

    Best thing to do is to enable your browser's security to block attack sites and report them when you see one.

    For Firefox, enable the "Block reported attack sites" and "Block reported web forgeries" features.

    Report attack sites and web forgery in Firefox using "Help -> Report Web Forgery..." (or "Help -> This isn't a web forgery..." in older versions). In Firefox 4, you may need to click the "Firefox" button in the upper left corner first (if you don't have the menu bar visible).

    For Internet Explorer, turn on the "SmartScreen Filter" in Internet Explorer 9 and Internet Explorer 8 (or "Phishing Filter" in Internet Explorer 7) for the similar protection.

    To report phishing Web site, follow the instructions in this support article (the steps are similar for Internet Explorer 9):

    Then all you do is report websites like these (see information above) so that everyone else that don't realize it is a fake won't get caught with this fake anti-virus software.

    If you want to see what a reported attack site or web forgery looks like in Firefox (if you have the correct options enabled), see here:

  10. UbuntuWho · 1179 days ago

    I always enjoy getting the "Microsoft" security warnings when I'm running Linux. LOL

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.