This website uses cookies, including for advertising, social media and analytics purposes. To see what cookies we use and how to change your cookie settings, click here. By continuing to browse this website, you accept our use of cookies. Close

Our Blog

Fake AV Asks for Subscription Renewals

Share

Wednesday, Jan 29, 2014

Cleaning up and re-imaging machines infected with rogue AV continues to take precious man-hours from security teams already saddled with increasing responsibility.  While fake antivirus software (AV) has yielded the security headlines to exploit kits, ransomware, and crime packs, active rogue AV campaigns continue to be an ongoing challenge to organizations attempting to keep their networks free from malware. Today, Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have intercepted one such campaign using malicious emails coming from a fake AV called Anti-Virus Pro.  The malicious emails use “PC Security - Renewal" as the subject.

Malicious Email

These malicious emails offer subscription renewals to unsuspecting customers who are then redirected to the fake AV site: hxxp://anti-virus-professional.com.  The site prompts users to download a trial version of the malware.

Malicious Emails

Websense® ThreatScope detects the fake AV as malicious, and shows that it drops and runs binaries in the filesystem directory of the user profile. Interestingly enough, this malware was first seen in Virus Total about a year and a half ago, yet only 40% of AV engines had detection at the time of this post.

Threatscope

Intelligence gathered around this malicious campaign suggests that its focus is the manufacturing industry, as well as other service-oriented businesses.

Service oritented

Geographically, the campaign originates in the US and United Kingdom.  So far, we are seeing Belgium, the US, and the United Kingdom as the top countries affected.

Heatmap

Historically, fake AV has been associated heavily with Black Hat SEO attacks.  Now, fake AV is using emails to spread the campaign.  This could signal a comeback of one of the most popular malicious campaigns of the past. 

Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).

About the Author