How your brand may be abused to install malicious software

Recently, MarkMonitor has discovered several instances of company names and brands being used to steer visitors to web sites that eventually result in malicious or bogus software being installed on their system.



Upon receiving a Google Alert or searching the web, users end up on a free web hosting site like Geocities.  The landing page contains seemingly random paragraphs of text and a long list of links to other free web pages.   The goal of this random text is to create a link farm that is indexed by search engines and shows up high enough in search results to attract attention from users.



In this example our own company name was used as the title page:




Company name example





Once the abusers trick users into visiting their web site a javascript program is used to direct you through a series of fake sites with names like “Best Search World” and “Global Free Search”.   The domain names for these search sites are both registered through EST Domains a registrar notorious for supporting cybercrime activities whose address appears to be a UPS Store mailbox in Wilmington Delaware.



From there users are automatically redirected to a site called “Virus Scan Online (also hosted with EST domains) which promptly informs them that their system is infected and they must install Antivirus 2008. 



An analysis of the URL shows that an affiliate ID is being passed to the virus scan web site.  Someone (or more likely several people) is making a few cents for every user they steer to the fraudulent site.




Virus Scan site





Upon clicking any where on the page (even “Ignore ) the following file starts to download to their system:



AntvrsInstall.exe          md5 = 0725519abb3ec592d25b729becbb4718



Even trying to close the browser results in nagging prompts to install the program.   Upon installation this program promptly downloads and installs another program.   The program downloaded is the actual bogus security software that reported tells users they’re infected and they need to cough up money in order to get the updates needed to remove the infections.   In actuality the user’s system is not infected by any malware.



antvrs.exe                 md5 = 9c8c01bc2dea517dfbf26b4a4f8d44bb



The result of all of this is users who went looking for brand names on search engines end up getting taken by criminals.   The MarkMonitor AntiPhishing Security Operations Team has reported the fraudulent sites to the appropriate contacts.