Hacked Kaspersky Download Site Directs Users to Fake Antivirus
Hackers have caused serious embarrassment for a major security technology company. Kaspersky Lab's Website was hacked over the weekend, sending customers looking for security software to an external download page pushing counterfeit software.
When users tried to download software from Kaspersky on Oct. 17, they were redirected to a malware site that tricked users into downloading fake antivirus software called Security Tool. Once executed, Security Tool displays pop-ups reporting a number of vulnerabilities and threats "found" to scare users into buying what it says is a full version in order to fix these problems.
Users posted about the attack on various online forums, but said Kaspersky denied any kind of a breach had happened, even after a post from someone thought to be a Kaspersky Japan employee said the issue was fixed.
The company finally admitted to IT Pro on Oct. 19 that it had been hacked, saying the redirection to the scareware site had lasted only 3.5 hours on Oct. 17. When the company was notified, it took the affected server offline within 10 minutes, Kaspersky told IT Pro.
"Currently the server is secure and fully back online, and Kaspersky products are available for download," the company said to IT Pro.
Affected Kaspersky users posted about the hacked site on three different forums: security-oriented Calendar of Updates, Yahoo Answers and Kaspersky's own Kaspersky Lab forum. Kaspersky either didn't respond to queries, or denied there was a problem on the site.
On the Kaspersky Labs forum, a user called to report the breach but said Kaspersky blamed the victim, suggesting the user must have clicked on a phishing link or mistyped the URL and landed on a fake site. When the user pointed out the redirect still happened when clicking on the download link in an order confirmation e-mail from seven months ago, the company said, "That e-mail was probably a fake e-mail."
The poster complained, "Now, Kaspersky didn't want to help my father and wanted money to help him clean up the infection they caused."
Kaspersky is staying quiet on the details of how the hackers got control, but said it was a bug in a "third-party application used for site admin" on the Kasperskyusa.com Website, according to Trend Micro's CounterMeasures security blog.
Fake antivirus software is commonly spread via phishing scams and pages created specifically to appear high in search results. However, "this compromise of a legitimate download site, particularly a security vendor, could represent an important new change of tactics by the scareware pushers," Rik Ferguson wrote on CounterMeasures Oct. 19.
Users were more angry about Kaspersky's silence and refusal to admit to a problem than the hack itself. While they'd recognized the scareware tactic immediately, less security-savvy users could have been duped and installed the software. Kaspersky's silence provided those users with no guidance as to what to do next.
On the Calendar of Updates forum, a concerned user wrote, "Not sure what more I could do. I would like a bit of transparency, but I guess that no security company will come out and admit that their own Website got hacked."
"Security vendors have often been the target of both malicious and mischievous hackers and, without fail, honesty and transparency have always been the best policy in the aftermath of such an event," wrote Ferguson.
This is not Kaspersky's first breach. In early 2009, an update to Kaspersky's support site created a security hole in the database that exposed customer e-mail addresses and product activation codes via a SQL injection attack. The hacker informed Kaspersky, who immediately fixed the bug.
Various Kaspersky international sites have been defaced at least 36 times since 2000, according to ZDNet's Zero Day security blog.
No user information was compromised in Sunday's attack, Kaspersky said.