Malware purveyors are using a popular women’s clothing brand and the ICQ instant messaging service to quickly spread fake anti-virus software come-ons to thousands of potential victims, according to a security bulletin issued today by AV software vendor Kaspersky.
ICQ users over the past few days have had their chats interrupted by an “Anti-virus 8” pop-up that materializes just as the service starts fetching or displaying new ads. These fake AV scams, commonly referred to as scareware because they attempt to scare people into buying the bogus security app after a meaningless scan reports that their PCs or mobile devices have been infected.
In reality, these scareware apps are actually the ones responsible for infecting a user’s computer. Once these apps are installed, they then attempt to blackmail victims into paying the $40 or $50 to install the “cure” while simultaneously using the newly infected computer to spread more scareware.
Kaspersky Lab researchers identified the offending page distributing the malware as charlotterusse.eu, a fabricated website designed to look as if it’s affiliated with the Charlotte Russe women’s clothing chain.
“Going by the added iframe, it looks like this store’s ad server was hacked, right? Not quite. I did some digging around and found that none of these servers — other than charlotterusse.com — actually related to this brand of clothing,” Roel Schouwenberg, a senior malware researcher at Kasperksy wrote in a blog posting.
This tidbit means, according to Schouwenberg, that the hackers behind this scareware racket deliberately went out of their way to make it appears as though the server hosting the official Charlotte Russe was hacked.
“By making it look like their server got compromised, the criminals can claim it isn’t them who are responsible for distributing the malware,” he added. “The ad distributor is very likely to simply give them a warning, which gives these criminals at least one more shot at infecting more machines.”
Examples of these more sophisticated and better-concealed malware campaigns continue to crop up on a weekly basis, security researchers say, making it harder than ever for consumers to avoid them and for legitimate ad distributors and authorities to shut them down.
Just last week, a URL shortening service was used to distribute scareware throughout Twitter, redirecting tweeters to a site hosting the “Security Shield” rogue AV app.
Kaspersky researchers said they have advised Yield Manager, the ad distributor being manipulated in this latest hoax, of the scam and are awaiting a response.
“This is another example of how trusted programs can be a used to attack computers,” Schouwenberg said. “It goes to show that anti-malware protection is needed no matter what the circumstance.”
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.