The emails Sophos has encountered contain malicious HTML attachments, which the firm has labeled as Troj/JSRedir-CH and Mal/FakeAV-EI (fake anti-virus).
Sophos said recipients of these emails who open the HTML files will have their web browser directed to a compromised website containing a malicious iFrame. This will allow for the subsequent launch of the fake anti-virus – a ruse that aims to convince owners of infected machines that their security has been compromised and that they must pay to remove the infection.
As Fraser Howard, a principal researcher in SophosLabs, said in a video posting about fake anti-virus attacks, what it really does is trick users into paying to remove threats that never existed on the machine. He would go on to characterize fake anti-virus as one of the most prevalent internet-based attacks because it’s one of the most lucrative scams available to cybercriminals.
Sophos has come across emails spreading the fake anti-virus attack with the following subject lines:
- Parking Permit and/or Benefit Card Order Receipt (<random number>)
- You're invited to view my photos!
- Appointment Confirmation
- Your Bell e-bill is ready
- Your Vistaprint Order Is Confirmed
- Vistaprint Canadian Tax Invoice (<random number>)
Graham Cluley, senior technology at Sophos, said fake anti-virus attacks are effective because it “often disguises itself as a bogus version of McAfee VirusScan”.
“Once a user's computer is infected with fake anti-virus, the software will continue to bombard the user with bogus warning messages to encourage them to pay for threats to be removed or install more malicious code onto their PC”, he warned in a recent security blog posting. “If computer users are concerned about the security of their machine, they should go directly to a legitimate IT security site, rather than put their trust in a criminal hacking gang."