Rogue AVs still on the loose
The age-old tactic of fooling users into downloading fake and malicious antivirus software is still on the rise, and cyber-criminals are now more cunning than ever. To learn more, and for 4 tips for avoiding the threat.
In the previous edition of First Line of Defense, we discussed some current scareware threat events. In this edition we examine in detail, rogue AV and its methods, and how to remain safe from these threats. The earliest rogue AV ploys relied on scareware tactics that resorted to whistle blowing to warn users of fictitious infections. This was reminiscent of the old threat landscape where malware were mainly nuisances and timewasters, draining resources and slowing machines. Today it's a very different story.
Increasingly complex tactics
With the shift towards the modern profit-driven threat landscape, cybercriminals are employing ever-more cunning tactics. Now, by using search engine optimization techniques (SEO) they even infect users who simply visit certain sites, seemingly mimicking the manner by which real-time antivirus products protect systems. Attacks have also increased in terms of complexity, and cybercriminals are now working together to increase their chances of victimizing more users.
“With the knowledge that data is valuable to computer users,
cybercriminals will keep creating new ways to exploit them”
With the knowledge that data is valuable to computer users, cybercriminals will keep creating new ways to exploit them. Security experts have already seen new rogue AV samples that employ ‘ransomware' tactics, which encrypt files and effectively take them hostage, with the rogue AV posing as a utility that claims to have found corrupted files. To recover the data, the user has to purchase and download a program which merely fixes the problem the malware created.
New social engineering techniques
Cybercriminals are using several social engineering techniques to spread rogue AV, including spammed emails containing URLs that lead to sites where rogue AV can be downloaded. More imaginatively, they rig search engine results with links to downloadable and seemingly legitimate antivirus/antispyware applications. Some even go to the extreme of using search engine optimization (SEO) to redirect users from high-traffic sites to specially crafted malicious pages hosting their rogue AV wares. Examples of rogue AV commonly obtainable from such sites include the so-called XP Antivirus, Antivirus 2008, and Antivirus 2009, which recently gained popularity as they can be downloaded for free.
Another ingenious social engineering ploy involves the use of codecs, plug-ins for software applications that can be downloaded from the Internet. As several media files require codecs for playback, users who want to stream videos are often victimized by downloading rogue AV posing as video codecs. Cybercriminals have also been known to use newsworthy events to spread their malicious wares. Celebrity deaths (e.g. Corazon Aquino¹) and tragic events (e.g. tropical storms²) have both recently become unwitting participants in rogue AV scams.
Social networking sites such as Twitter and Facebook have also become unwilling sources of rogue AV, thanks to the KOOBFACE botnet's dedicated FAKEAV installer component. An increasing number of fake social networking site accounts have been posting messages containing links that lead to rogue AV sites.
A recent TrendLabs study also indicates that rogue AV authors, sellers, and resellers now employ enhanced social engineering tactics, taking advantage of trendy topics in popular search engines. They have even been found to use GeoIP tracking³. These attacks employ similar techniques as blackhat SEO campaigns, albeit in a more targeted sense.
Cybercriminals really will stop at nothing to further their profiteering schemes. And although users have been warned to steer clear of links from unknown sources — whether in emails or in tweets — curiosity will always get the better of them.
4 top tips to protect yourself
To help protect yourself from rogue AV infection, you should always keep the following dos and don'ts in mind:
- Don't open suspicious-looking emails or click links from people you do not know.
- Search with caution, especially about news or trendy topics. Stick to legitimate or trusted sites, especially video sites where you are prompted to download codecs.
- Patch your system, as rogue AV arrive via exploits and reside in compromised sites.
- Secure your online accounts to prevent them from being hacked.
¹ Tropical Storm Leads to FAKEAV
² Blackhat SEO and FAKEAV: A Dangerous Tandem
³ Cory Aquino’s Death Used to Spread Another FAKEAV