Fake AV Propagated on Famous Websites through Users’ Profiles

As per the GFI Researchers, a bogus AV named FakeRean has been identified propagating itself on the popular websites through users' personal accounts or profiles.

The researchers have examined thoroughly into the techniques of propagation of the FakeRean family of bogus anti-virus and it has discovered some really interesting facts.

According to the GFI Labs blog - similar to all rogue anti-virus families, it presents false scanning outcomes to users to scam them into paying cash to register the software and repair their machines allegedly. Besides, this family modifies the infected machine's registry quite expansively and inserts several component and shortcut files, apart from other things. The key characteristic that sets FakeRean apart from the general rogues is its ability to compromise a file association for executable files, which enables it to reappear each time, when an application is run.

Patrick Jordan, a researcher at GFI Labs, has identified novel techniques on how FakeRean is presently being propagated online, and by the looks of things, the cybercrooks responsible for it have not just casted a wider net but also went hard-core, he stated on the company's blog on June 06, 2011.

To scam users into downloading the PDF exploit that adds and installs FakeRean, these cybercriminals apparently provides links to websites with adult content.

And to ensure that the links to the malware ridden websites are online at any given time, they have quite smartly set them up as posts on forums of several popular websites, such as Twitter, SourceForge, Flickr, last.fm, Stumbleupon, Yahoo Answers, etc.

Additionally, as per the GFI researchers, the SourceForge domain is especially infected by the "portal" pages pretending as user profiles.

The "portal" pages comprise drawings pornographic nature and urges the user to click on the button correct to his/her age but the interesting thing is that it actually doesn't matter which button is pressed as both direct the user to a page harbored on seoholding.com, which installs the malicious PDF exploit on the user's computer.

As usual, security experts have advised netizens to be alert while clicking on images and text links online. They require being extra cautious while visiting online profiles harbored on any website that appears suspicious.

Related article: Fake Spam Mail Announces Australian PM’s Heart Attack

» SPAMfighter News - 6/16/2011