Recently, MarkMonitor has discovered several instances of company names and brands being used to steer visitors to web sites that eventually result in malicious or bogus software being installed on their system.
Upon receiving a Google Alert or searching the web, users end up on a free web hosting site like Geocities. The landing page contains seemingly random paragraphs of text and a long list of links to other free web pages. The goal of this random text is to create a “link farm” that is indexed by search engines and shows up high enough in search results to attract attention from users.
In this example, our own company name was used as the title page:
From there, users are automatically redirected to a site called “Virus Scan Online” (also hosted with EST domains) which promptly informs them that their system is infected and they must install Antivirus 2008.
An analysis of the URL shows that an affiliate ID is being passed to the virus scan web site. Someone (or more likely several people) is making a few cents for every user they steer to the fraudulent site.
Upon clicking any where on the page (even “Ignore”), the following file starts to download to their system:
AntvrsInstall.exe md5 = 0725519abb3ec592d25b729becbb4718
Even trying to close the browser results in nagging prompts to install the program. Upon installation, this program promptly downloads and installs another program. The program downloaded is the actual bogus security software that reported tells users they’re infected and they need to cough up money in order to get the updates needed to remove the infections. In actuality, the user’s system is not infected by any malware.
antvrs.exe md5 = 9c8c01bc2dea517dfbf26b4a4f8d44bb
The result of all of this is users who went looking for brand names on search engines end up getting taken by criminals. The MarkMonitor AntiPhishing Security Operations Team has reported the fraudulent sites to the appropriate contacts.