Fake AV Asks for Subscription Renewals
Cleaning up and re-imaging machines infected with rogue AV continues to take precious man-hours from security teams already saddled with increasing responsibility. While fake antivirus software (AV) has yielded the security headlines to exploit kits, ransomware, and crime packs, active rogue AV campaigns continue to be an ongoing challenge to organizations attempting to keep their networks free from malware. Today, Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have intercepted one such campaign using malicious emails coming from a fake AV called Anti-Virus Pro. The malicious emails use “PC Security - Renewal" as the subject.
These malicious emails offer subscription renewals to unsuspecting customers who are then redirected to the fake AV site: hxxp://anti-virus-professional.com. The site prompts users to download a trial version of the malware.
Websense® ThreatScope detects the fake AV as malicious, and shows that it drops and runs binaries in the filesystem directory of the user profile. Interestingly enough, this malware was first seen in Virus Total about a year and a half ago, yet only 40% of AV engines had detection at the time of this post.
Intelligence gathered around this malicious campaign suggests that its focus is the manufacturing industry, as well as other service-oriented businesses.
Geographically, the campaign originates in the US and United Kingdom. So far, we are seeing Belgium, the US, and the United Kingdom as the top countries affected.
Historically, fake AV has been associated heavily with Black Hat SEO attacks. Now, fake AV is using emails to spread the campaign. This could signal a comeback of one of the most popular malicious campaigns of the past.
Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).