Microsoft redirect aids boost fake anti-virus scam
With a little help from the IRS too.
By Robert McMillan, IDG News Service | Published: 10:33, 24 December 2008
A new player has entered the fake anti-virus market - with a little bit of help from Microsoft and the US Internal Revenue Service.
Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama, who first reported the activity on his blog.
Many websites use redirector links to take visitors away from the site, although the web site operators try to stop them from being misused by scammers. For example, the Google URL http://www.google.com/search?q=idg&btnI=3564 uses Google's "I'm feeling lucky" feature to send web surfers to IDG.com.
If criminals can use a redirector on a major website like Microsoft's or IRS's, however, they can make their malicious links pop up very high in Google search results, said Warner.
"Microsoft is a super-powerful site as far as search engine weight is concerned," he said.
The bad guys have tricked search engines into returning their malicious links to tens of thousands of search terms, Warner said. They've done this by using special software to add these redirector links to "tens of thousands of blog comments, guestbook entries, and imaginary blog stories all around the Internet," Warner said in his blog posting.
You can see the results of this activity. A Google search for the term "Microsoft Office 2002 download" yields a Microsoft.com redirection link as its first result. That link had been redirecting visitors to a malicious web site, which launched web-based attack code against victims and tried to trick them into downloading fake antivirus software, Warner said. However, Microsoft has now fixed the problem, so the Microsoft.com link that pops up in the google search results was no longer taking surfers to the malicious website.
The IRS has now addressed the issue too, but about 20 other sites remain a problem Warner said.
The fake anti-virus software, also called "scareware," installs a keylogger on the victim's computer, presumably to steal login names and passwords, and also launches fake warning popups on every web page that the victim visits telling him he needs to buy anti-virus software, called System Security. The price for the fake product? A believable-sounding $51.45.
The FTC estimates that 1 million consumers were taken in by other fake anti-virus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus. On 10 December a federal court ordered two companies, Innovative Marketing and ByteHosting Internet Services, to stop promoting these products.
Warner doesn't know who is behind System Security, but he believes that the scammers behind this latest operation may be connected to the earlier scams. "It's similar enough that it's got to be somebody who has a relationship with the last group," he said.