Saturday, April 14, 2018

Fake 'Virus Detected' Scam

So, anyway, I get a lot of these scam pitches each day. The email looks something like this ...



Sometimes the email purports to be from Fedex, and sometimes it tells me I have broken pictures, but however it comes, it tells me to "Click here".

If you do, you are taken to a fake "virus detected" screen, that looks a lot like this ...



This kind of thing has been around for ages, and the idea is that they try to get you to call the 888 number, where they try to convince you to give them remote access to your computer, so that the nice technician can "help" you.

It's not exploitive, per se, but it would be a significant nuisance to a non-techie, because it hijacks the browser enough that you can't close the browser, and get rid of it. It must work a bit, because they keep trying it.

This is the sort of thing I took great pleasure in blocking, when I had a suitable product in a previous life, so I thought I'd see who was blocking it today.

It only serves that page the first time you go to it, and after that, either takes you to a (probably) fake Canadian Pharmacy (usually somewhere in Russia), or a Diet Pills site, so in order to test against a number of products, I used a thing called HttpReplay, to capture the initial sockets, and then to replay it against the eight products I had readily to hand.

I made sure that each product was able to update itself, and declare itself "current",and then I opened the socket trace, and pretended to cruise to the website. Pretty much doing what a regular user might have done. All products are the consumer versions, and are installed with default options, just as a normal end-user might. Here are the scores

McAfee Miss
Sophos Block
Eset Miss
Avast Miss
Symantec Block
Kaspersky Miss
Panda Miss
Avira Miss

Obviously, I'm not saying that this proves anything much, except that I reckon everyone should be blocking this sort of thing, because if I'm seeing it every day, chances are that lots of people are.

No comments: