Monthly Malvertising Update: More Fake Antivirus
When last we looked at this never-say-die malvertising network, it was using IP-based URLs to funnel people to a Fake AV attack.
Well, they're still at it... The recent traffic comes from a couple of evil sites: 22.214.171.124 and 126.96.36.199. In the case of the latter one, it's getting all of its traffic from covers.com, a sports betting site. In the case of 188.8.131.52, the traffic is coming from a variety of sites: kids-in-mind.com, universalnightlife.com, blackcelebkids.com, thefashionspot.com, and more...
After bouncing through some junk subdomains on the whimsically named dreamfolk.info, the traffic ends up in a family of fake-antivirus sites with names like these:
and so on. (There are a LOT of variants.) There, a victim would see a warning like this:
(Let's see... Only one spelling error, and one awkward phrase, so I'd probably give the Bad Guys a B+ for the believability of their warning message this time.)
If you accept their offer to "Clean computer", you get a program called, simply enough, setup.exe.
Running a sample through VirusTotal yielded a less-than-encouraging 8 hits:
Fortunately, WebPulse is on guard...