Google Doodles are special cartoons that Google replaces its normal logo with on key dates or anniversaries though the year. Last Wednesday, for example, the Doodle was a tribute to Martha Graham, a famous modern art dancer
Patrick Schvnherr, a researcher with Avira, says that clicking this Doodle led users to several search responses to Martha Graham, with some images being displayed high up in the search results.
"Clicking one of the `infected' thumbnails opened a website which is hosting the malicious file. Whilst the website is loading, the user gets redirected to a randomly generated URL", he said in his latest security blog.
"The websites are hosted on the .co.cc domain, which is quite often related with malicious content and activities. Right after the redirect, Internet Explorer shows a popup", he added.
According to Schvnherr, scareware often uses this approach to trick users into clicking the `OK' Button. Confirming the popup with `OK' then opens a new Internet Explorer window which looks quite similar to the `My Computer' section in Windows Explorer, showing fake hard drives and other icons in the browser.
During the fake AV scanning process, the Avira researcher says that fake infection messages then pop up, offering users the choice of `remove all' and `cancel.' mimicking the appearance of Windows Defender.
It's at this stage that the real scareware download is triggered and a fake antivirus scanner - SecurityScanner.exe - is downloaded. The scareware then offers the `infected' user a licence for the software for the price of $79.95, he notes.
"The business strategy behind such a fake antivirus company looks really professional. You can purchase licences and pay them by credit card. Some of them even offer a support hotline for their product, where the user gets hints on how to remove real virus products", he goes on to say.