Monthly Malvertising Update: More Fake Antivirus
When last we looked at this never-say-die malvertising network, it was using IP-based URLs to funnel people to a Fake AV attack.
Well, they're still at it... The recent traffic comes from a couple of evil sites: 184.108.40.206 and 220.127.116.11. In the case of the latter one, it's getting all of its traffic from covers.com, a sports betting site. In the case of 18.104.22.168, the traffic is coming from a variety of sites: kids-in-mind.com, universalnightlife.com, blackcelebkids.com, thefashionspot.com, and more...
After bouncing through some junk subdomains on the whimsically named dreamfolk.info, the traffic ends up in a family of fake-antivirus sites with names like these:
and so on. (There are a LOT of variants.) There, a victim would see a warning like this:
(Let's see... Only one spelling error, and one awkward phrase, so I'd probably give the Bad Guys a B+ for the believability of their warning message this time.)
If you accept their offer to "Clean computer", you get a program called, simply enough, setup.exe.
Running a sample through VirusTotal yielded a less-than-encouraging 8 hits:
Fortunately, WebPulse is on guard...